Splunk Search

Blacklisting the hypen processname using REGEX

AL3Z
Builder

Hi, As I was wondering can we blacklist the processname like "-"  in the inputs.conf of DS ?? to save the splunk license .

AL3Z_0-1697558769612.png

 

Sample Event:


<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4624</EventID><Version>3</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-10-17T16:07:15.4402877Z'/><EventRecordID>455140</EventRecordID><Correlation ActivityID='{b2071651-382e-4101-85e8-28f5e9b1b5d5}'/><Execution ProcessID='1112' ThreadID='3816'/><Channel>Security</Channel><Computer>xyz.com</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NULL SID</Data><Data Name='SubjectUserName'>-</Data><Data Name='SubjectDomainName'>-</Data><Data Name='SubjectLogonId'>0x0</Data><Data Name='TargetUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='TargetUserName'>xxx$</Data><Data Name='TargetDomainName'>xyx.COM</Data><Data Name='TargetLogonId'>0xb126027</Data><Data Name='LogonType'>3</Data><Data Name='LogonProcessName'>Kerberos</Data><Data Name='AuthenticationPackageName'>Kerberos</Data><Data Name='WorkstationName'>-</Data><Data Name='LogonGuid'>{c425351a-8525-d2f0-f686-1a0aff9db449}</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x0</Data><Data Name='ProcessName'>-</Data><Data Name='IpAddress'>127.0.0.1</Data><Data Name='IpPort'>0</Data><Data Name='ImpersonationLevel'>%%1833</Data><Data Name='RestrictedAdminMode'>-</Data><Data Name='RemoteCredentialGuard'>-</Data><Data Name='TargetOutboundUserName'>-</Data><Data Name='TargetOutboundDomainName'>-</Data><Data Name='VirtualAccount'>%%1843</Data><Data Name='TargetLinkedLogonId'>0x0</Data><Data Name='ElevatedToken'>%%1842</Data></EventData></Event>

 

Thanks

Labels (1)
0 Karma

fredclown
Builder

This would be done on a heavy forwarder or the indexer(s), whichever the events hit first. The below link has information for how to do this. You can do it with SEDCMD in a props.conf. The code below is an excerpt from that page that shows specifically how you would do this. In this case this <Data Name='IpPort'>0</Data> is being turned into this <Data Name='IpPort'></Data>.

#For XmlWinEventLog:Security
     SEDCMD-cleanxmlsrcport = s/<Data Name='IpPort'>0<\/Data>/<Data Name='IpPort'><\/Data>/

https://docs.splunk.com/Documentation/WindowsAddOn/latest/User/Configuration

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...