Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Trying to blacklist event code with accesses

Jordan54
New Member
‎07-26-2017 12:51 PM

Hello.. I am trying to black list a event code with a message and it is not working.. I have my code posted below. Am I missing something? Thanks!

blacklist5 = Eventcode="4663" Message="Accesses:ReadData (or ListDirectory)"

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sbbadri
Motivator
‎07-26-2017 01:51 PM

try below,

[WinEventLog://Security]
disabled = 0
evt_resolve_ad_obj = 0
blacklist1=EventCode="4663" Message=”Accesses:ReadData\s+(or\s+ListDirectory)"

View solution in original post

Reply
Solved! Jump to solution
Solution

sbbadri
Motivator
‎07-26-2017 01:51 PM

try below,

[WinEventLog://Security]
disabled = 0
evt_resolve_ad_obj = 0
blacklist1=EventCode="4663" Message=”Accesses:ReadData\s+(or\s+ListDirectory)"

Reply
Solved! Jump to solution

Jordan54
New Member
‎07-27-2017 05:24 AM

Thanks for the suggestion, but that didn't seem to help. Any other suggestions?

0 Karma
Reply
Solved! Jump to solution

sbbadri
Motivator
‎07-27-2017 08:09 AM

can you paste sample event. Regex for message might be wrong or another one is it won't effect on old events.

below is the example given in Splunk_TA_windows,

[WinEventLog://Security]
disabled = 1
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
index = wineventlog
renderXml=false

0 Karma
Reply
Solved! Jump to solution

Jordan54
New Member
‎07-27-2017 10:10 AM

This is what I have.. Thanks again!

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4700|4767|4946|4948|4779|4954|4740|4658|4634|5145|4656|4672|5158|4776|5152|5157|4769|4768|4648|4985|4690|4771|4770|4702|4670|4660|4689|4611|5154|4793|5447|5058|5061|5031|4673|5143|4742|1|4647|4723|4738"
blacklist2 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist3 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist4 = EventCode="4688" Message="New Process Name: (?i)^(C:\Program Files\Splunk(?:UniversalForwarder)?\bin\(?:btool|splunkd|splunk|splunk-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi)).exe)"
blacklist5=EventCode="4663" Message=”Accesses:ReadData\s+(or\s+ListDirectory)"

index = oswinsec
renderXml=false

0 Karma
Reply
Solved! Jump to solution

sbbadri
Motivator
‎07-27-2017 10:58 AM

can you paste on sample event. I guess Message regex is wrong.

0 Karma
Reply
Solved! Jump to solution

Jordan54
New Member
‎07-27-2017 11:09 AM

Sorry new to splunk.. what do you mean by paste on sample event?

Thanks

0 Karma
Reply
Solved! Jump to solution

sbbadri
Motivator
‎07-27-2017 11:14 AM

Please execute below query on your search head

index=oswinsec EventCode=4663 | head 1.

It will produce one result. Copy output result and paste in comment.

0 Karma
Reply
Solved! Jump to solution

Jordan54
New Member
‎07-27-2017 11:29 AM

2:27:01.000 PM

07/27/2017 02:27:01 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4663
EventType=0
Type=Information
ComputerName=
TaskCategory=Removable Storage
OpCode=Info
RecordNumber=473041460
Keywords=Audit Success
Message=An attempt was made to access an object.

Subject:
Security ID: S-1-5-18
Account Name:

Account Domain:

Logon ID:

Object:
Object Server: Security
Object Type: File
Object Name: D:\Program Files\
Handle ID: 0x204
Resource Attributes:
Process Information:
Process ID: 0x51c
Process Name: D:\Program Files

Access Request Information:
Accesses: ReadData (or ListDirectory)

Access Mask:        0x1

Collapse
EventCode = 4663 host = index = oswinsec source = WinEventLog:Security sourcetype = WinEventLog:Security

Thanks

0 Karma
Reply
Solved! Jump to solution

sbbadri
Motivator
‎07-27-2017 11:40 AM

blacklist5=EventCode="4663" Message="An attempt was made to access an object."
or
Assuming that Accesses field has been extracted
blacklist5=EventCode="4663" Accesses="ReadData\s(or\sListDirectory)"

0 Karma
Reply
Solved! Jump to solution

Jordan54
New Member
‎07-28-2017 08:07 AM

That worked! Thanks

0 Karma
Reply
Solved! Jump to solution

sbbadri
Motivator
‎07-28-2017 08:09 AM

cool. Glad it worked, Please vote or accept the answer

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...