Getting Data In

Windows Eventlog Blacklist Failing

pizzor
Path Finder

Having issues with a blacklist of mine. Trying to filter out specific instances of an event code using regex. When I test out the pattern with regexr for example, it matches without issue. But the events are coming in regardless.

 

My blacklist would be:

 

blacklist7 = EventCode = "4672" Message = "Account\sName\:\s+ACCOUNTNAME\$"

 

 

And an example event would be:

 

06/09/2021 07:55:08 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=HOSTNAME
TaskCategory=Special Logon
OpCode=Info
RecordNumber=3400724885
Keywords=Audit Success
Message=Special privileges assigned to new logon.

Subject:
	Security ID:		NT AUTHORITY\SYSTEM
	Account Name:		ACCOUNTNAME$
...

 

Labels (2)
0 Karma
1 Solution

pizzor
Path Finder

Seems I'm just not careful enough and my stanza name had a typo. The blacklist works as intended once I corrected that.

View solution in original post

pizzor
Path Finder

Seems I'm just not careful enough and my stanza name had a typo. The blacklist works as intended once I corrected that.

richgalloway
SplunkTrust
SplunkTrust

Perhaps it is a typo just in the question, but the EventCode value in the blacklist does not match that in the event.

---
If this reply helps you, Karma would be appreciated.
0 Karma

pizzor
Path Finder

It is, sorry. I am actually doing the same filter for similar events on both event codes 72 and 27, and got my examples mixed up. I'll correct that.

0 Karma

alemarzu
Motivator

Hi @pizzor 

Trying to filter WinEventLogs with more than EventCodes is limited by some key fields. Its not a free regex that you can drop there sort to speak.

You can find this set of valid keys in here: https://docs.splunk.com/Documentation/Splunk/8.2.0/Admin/Inputsconf#Event_Log_allow_list_and_deny_li...

Hope it helps.

0 Karma

pizzor
Path Finder

Thanks, but the key I am using (Message) is listed. The "Account Name" piece also does show up in the Message field in the final extract results as well.

Splunk documentation also lists what I am trying to do as a example on this doc, under Example 5:

https://docs.splunk.com/Documentation/Splunk/latest/Data/Whitelistorblacklistspecificincomingdata?r=...

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...