Hi,
I'm trying to exclude the service accounts of the users from the below event in splunk ES.
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{549549625-5488-43494-AHGBA-3E353B0328CEDQS0D}'/><EventID>4738</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-06-16T16:08:38.166868000Z'/><EventRecordID>668676978</EventRecordID><Correlation/><Execution ProcessID='656' ThreadID='6132'/><Channel>Security</Channel><Computer>swrfkeou09.am.win.cisco.com</Computer><Security/></System><EventData><Data Name='Dummy'>-</Data><Data Name='TargetUserName'>BP_william_son</Data><Data Name='TargetDomainName'>AM</Data><Data Name='TargetSid'>AM\BP_william_son</Data><Data Name='SubjectUserSid'>EC\EC_OktaGMSER$</Data><Data Name='SubjectUserName'>EC_OktaGMSER$</Data><Data Name='SubjectDomainName'>EC</Data><Data Name='SubjectLogonId'>0x7e3yd92a4</Data><Data Name='PrivilegeList'>-</Data><Data Name='SamAccountName'>-</Data><Data Name='DisplayName'>-</Data><Data Name='UserPrincipalName'>-</Data><Data Name='HomeDirectory'>-</Data><Data Name='HomePath'>-</Data><Data Name='ScriptPath'>-</Data><Data Name='ProfilePath'>-</Data><Data Name='UserWorkstations'>-</Data><Data Name='PasswordLastSet'>%%1794</Data><Data Name='AccountExpires'>-</Data><Data Name='PrimaryGroupId'>-</Data><Data Name='AllowedToDelegateTo'>-</Data><Data Name='OldUacValue'>0x15</Data><Data Name='NewUacValue'>0x10</Data><Data Name='UserAccountControl'>
%%2048
%%2050</Data><Data Name='UserParameters'>-</Data><Data Name='SidHistory'>-</Data><Data Name='LogonHours'>-</Data></EventData></Event>
Thanks
@gcusello
Here I'm trying to xclude the service account using join,
search:
(index=winevent OR index=winsec source="XmlWinEventLog:*") eventcode=4662 OR eventcode=4738
We have the field OU and processname associated with eventcode=4662
under ou we have a serviceid , we have to exclude this , under process name we have to exclude agent.exe,
Likewise there is other fields present in the eventcode 4738 which are not present in the 4662
How we can use the join and colerate these two datasets ?
Thanks.
Hi @AL3Z,
using join command you never accelerate a search but you always slow it!
Anyway, to exclude results from a correlation search the easiest way is the suppression list I hinted.
Otherwise you can add a filter in the Correlation Search To exclude some resulta, but not a join.
Ciao.
Giuseppe
Hi @AL3Z,
when you have one or more events with users that yu want to exclude from the results, you have to open the dropdown list on the rights of the dashboard and choose the option suppress events, eventually (it isn't mandatory) adding an expiratin date to this suppression rule.
You can also manage your suppression rules modifying them.
You culd also modify the scheduled search that populates the Authentication DataModel excluding these accounts.
Ciao.
Giuseppe