Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Trying to blacklist event code with accesses

Jordan54
New Member
‎07-26-2017 12:51 PM

Hello.. I am trying to black list a event code with a message and it is not working.. I have my code posted below. Am I missing something? Thanks!

blacklist5 = Eventcode="4663" Message="Accesses:ReadData (or ListDirectory)"

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sbbadri
Motivator
‎07-26-2017 01:51 PM

try below,

[WinEventLog://Security]
disabled = 0
evt_resolve_ad_obj = 0
blacklist1=EventCode="4663" Message=”Accesses:ReadData\s+(or\s+ListDirectory)"

View solution in original post

Reply
Solved! Jump to solution
Solution

sbbadri
Motivator
‎07-26-2017 01:51 PM

try below,

[WinEventLog://Security]
disabled = 0
evt_resolve_ad_obj = 0
blacklist1=EventCode="4663" Message=”Accesses:ReadData\s+(or\s+ListDirectory)"

Reply
Solved! Jump to solution

Jordan54
New Member
‎07-27-2017 05:24 AM

Thanks for the suggestion, but that didn't seem to help. Any other suggestions?

0 Karma
Reply
Solved! Jump to solution

sbbadri
Motivator
‎07-27-2017 08:09 AM

can you paste sample event. Regex for message might be wrong or another one is it won't effect on old events.

below is the example given in Splunk_TA_windows,

[WinEventLog://Security]
disabled = 1
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
index = wineventlog
renderXml=false

0 Karma
Reply
Solved! Jump to solution

Jordan54
New Member
‎07-27-2017 10:10 AM

This is what I have.. Thanks again!

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4700|4767|4946|4948|4779|4954|4740|4658|4634|5145|4656|4672|5158|4776|5152|5157|4769|4768|4648|4985|4690|4771|4770|4702|4670|4660|4689|4611|5154|4793|5447|5058|5061|5031|4673|5143|4742|1|4647|4723|4738"
blacklist2 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist3 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist4 = EventCode="4688" Message="New Process Name: (?i)^(C:\Program Files\Splunk(?:UniversalForwarder)?\bin\(?:btool|splunkd|splunk|splunk-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi)).exe)"
blacklist5=EventCode="4663" Message=”Accesses:ReadData\s+(or\s+ListDirectory)"

index = oswinsec
renderXml=false

0 Karma
Reply
Solved! Jump to solution

sbbadri
Motivator
‎07-27-2017 10:58 AM

can you paste on sample event. I guess Message regex is wrong.

0 Karma
Reply
Solved! Jump to solution

Jordan54
New Member
‎07-27-2017 11:09 AM

Sorry new to splunk.. what do you mean by paste on sample event?

Thanks

0 Karma
Reply
Solved! Jump to solution

sbbadri
Motivator
‎07-27-2017 11:14 AM

Please execute below query on your search head

index=oswinsec EventCode=4663 | head 1.

It will produce one result. Copy output result and paste in comment.

0 Karma
Reply
Solved! Jump to solution

Jordan54
New Member
‎07-27-2017 11:29 AM

2:27:01.000 PM

07/27/2017 02:27:01 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4663
EventType=0
Type=Information
ComputerName=
TaskCategory=Removable Storage
OpCode=Info
RecordNumber=473041460
Keywords=Audit Success
Message=An attempt was made to access an object.

Subject:
Security ID: S-1-5-18
Account Name:

Account Domain:

Logon ID:

Object:
Object Server: Security
Object Type: File
Object Name: D:\Program Files\
Handle ID: 0x204
Resource Attributes:
Process Information:
Process ID: 0x51c
Process Name: D:\Program Files

Access Request Information:
Accesses: ReadData (or ListDirectory)

Access Mask:        0x1

Collapse
EventCode = 4663 host = index = oswinsec source = WinEventLog:Security sourcetype = WinEventLog:Security

Thanks

0 Karma
Reply
Solved! Jump to solution

sbbadri
Motivator
‎07-27-2017 11:40 AM

blacklist5=EventCode="4663" Message="An attempt was made to access an object."
or
Assuming that Accesses field has been extracted
blacklist5=EventCode="4663" Accesses="ReadData\s(or\sListDirectory)"

0 Karma
Reply
Solved! Jump to solution

Jordan54
New Member
‎07-28-2017 08:07 AM

That worked! Thanks

0 Karma
Reply
Solved! Jump to solution

sbbadri
Motivator
‎07-28-2017 08:09 AM

cool. Glad it worked, Please vote or accept the answer

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...