Solved: Trying to blacklist event code with accesses

Jordan54 · ‎07-26-2017

Hello.. I am trying to black list a event code with a message and it is not working.. I have my code posted below. Am I missing something? Thanks!

blacklist5 = Eventcode="4663" Message="Accesses:ReadData (or ListDirectory)"

sbbadri · ‎07-26-2017

try below,

[WinEventLog://Security]
disabled = 0
evt_resolve_ad_obj = 0
blacklist1=EventCode="4663" Message=”Accesses:ReadData\s+(or\s+ListDirectory)"

View solution in original post

sbbadri · ‎07-26-2017

try below,

[WinEventLog://Security]
disabled = 0
evt_resolve_ad_obj = 0
blacklist1=EventCode="4663" Message=”Accesses:ReadData\s+(or\s+ListDirectory)"

Jordan54 · ‎07-27-2017

Thanks for the suggestion, but that didn't seem to help. Any other suggestions?

sbbadri · ‎07-27-2017

can you paste sample event. Regex for message might be wrong or another one is it won't effect on old events.

below is the example given in Splunk_TA_windows,

[WinEventLog://Security]
disabled = 1
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
index = wineventlog
renderXml=false

Jordan54 · ‎07-27-2017

This is what I have.. Thanks again!

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4700|4767|4946|4948|4779|4954|4740|4658|4634|5145|4656|4672|5158|4776|5152|5157|4769|4768|4648|4985|4690|4771|4770|4702|4670|4660|4689|4611|5154|4793|5447|5058|5061|5031|4673|5143|4742|1|4647|4723|4738"
blacklist2 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist3 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist4 = EventCode="4688" Message="New Process Name: (?i)^(C:\Program Files\Splunk(?:UniversalForwarder)?\bin\(?:btool|splunkd|splunk|splunk-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi)).exe)"
blacklist5=EventCode="4663" Message=”Accesses:ReadData\s+(or\s+ListDirectory)"

index = oswinsec
renderXml=false

sbbadri · ‎07-27-2017

can you paste on sample event. I guess Message regex is wrong.

Jordan54 · ‎07-27-2017

Sorry new to splunk.. what do you mean by paste on sample event?

Thanks

sbbadri · ‎07-27-2017

Please execute below query on your search head

index=oswinsec EventCode=4663 | head 1.

It will produce one result. Copy output result and paste in comment.

Jordan54 · ‎07-27-2017

2:27:01.000 PM

07/27/2017 02:27:01 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4663
EventType=0
Type=Information
ComputerName=
TaskCategory=Removable Storage
OpCode=Info
RecordNumber=473041460
Keywords=Audit Success
Message=An attempt was made to access an object.

Subject:
Security ID: S-1-5-18
Account Name:

Account Domain:

Logon ID:

Object:
Object Server: Security
Object Type: File
Object Name: D:\Program Files\
Handle ID: 0x204
Resource Attributes:
Process Information:
Process ID: 0x51c
Process Name: D:\Program Files

Access Request Information:
Accesses: ReadData (or ListDirectory)

Access Mask:        0x1

Collapse
EventCode = 4663 host = index = oswinsec source = WinEventLog:Security sourcetype = WinEventLog:Security

Thanks

sbbadri · ‎07-27-2017

blacklist5=EventCode="4663" Message="An attempt was made to access an object."
or
Assuming that Accesses field has been extracted
blacklist5=EventCode="4663" Accesses="ReadData\s(or\sListDirectory)"

Jordan54 · ‎07-28-2017

That worked! Thanks

sbbadri · ‎07-28-2017

cool. Glad it worked, Please vote or accept the answer

Trying to blacklist event code with accesses

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout