Splunk Search

Having trouble in applying regex to blacklist Windows events on a Universal Forwarder.

AL3Z
Builder

Hi,

Looking for some assistance with Regex to blacklist  inputs.conf on Windows Systems.  We modified inputs.conf located:
/opt/apps/splunk/etc/deployment-apps/Splunk_TA_windows/local/inputs.conf

 

 

 

 


Applied Regex :

 

blacklist1 = EventCode="4688" $XmlRegex="<Data Name='NewProcessName'>
(C:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense.exe)|(C:\\Program Files (x86)\\Tanium\\Tanium Client\\TaniumCX.exe)
</Data>"

 


I attempted all available methods to blacklist the events above, but they did not take effect. Do we need to make modifications in order to successfully blacklist them?

Thanks

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

I think I just answered that.  Splunk is only part of the answer.  After all, Splunk can't show you what isn't indexed.  Therefore, if Splunk doesn't find a blacklisted event then the blacklist probably is working.  Confirm that by looking at Windows Event Viewer to see if a blacklisted event was generated.

---
If this reply helps you, Karma would be appreciated.
0 Karma

AL3Z
Builder

@richgalloway 
Thanks, As I see in some host changes has not reflected what could be the issue ?

0 Karma

AL3Z
Builder

Hi @richgalloway @gcusello ,

How can we utilize Btool on the host to troubleshoot whether the Universal Forwarder (UF) is utilizing an inputs.conf file other than the one intended for the Windows_TA? Despite applying the correct Regex filters, we are still encountering issues with events not being properly blacklisted.

ThanQ

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Sign in to the UF's CLI and run this btool command.  It will show which settings will take effect at the next restart and the file each setting comes from.

splunk btool --debug inputs list

 

---
If this reply helps you, Karma would be appreciated.

AL3Z
Builder

Hi @richgalloway @gcusello ,
When I ra n splunk btool --debug check on the host, I observe the following; 

C:\Program Files\SplunkUniversalForwarder\bin>splunk btool --debug check

No spec file for: C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\app.conf
Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\alert_actions.conf
Invalid key in stanza [webhook] in C:\Program Files\SplunkUniversalForwarder\etc\system\default\alert_actions.conf, line 229: enable_allowlist (value: false).
No spec file for: C:\Program Files\SplunkUniversalForwarder\etc\system\default\app.conf
No spec file for: C:\Program Files\SplunkUniversalForwarder\etc\apps\windows_test\local\app.conf

windows_test is the app where I had deployed the configurations.


Thanks 

 

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The lack of .spec files for app.conf should be unrelated to the problem you are having.  It means btool can't check the syntax of app.conf, but Splunk still can process the contents of that file.  Also, the blacklist is in inputs.conf so that's another reason why this is an unrelated issue.

---
If this reply helps you, Karma would be appreciated.
0 Karma

AL3Z
Builder

Hi,

I have been struggling to fix this blacklist in windows_ta app inputs.conf in the DS and deployed it to clients but it not working as expected, please help me in fixing this issue

Still logs are ingesting..

Thanks Eagerly waiting for your answers....

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Please heed the note at the top of the file.

# DO NOT EDIT THIS FILE!
# Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local.
# To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default
# into ../local and edit there.

Any changes made to a default file will be lost when a new version of the app is installed.  All changes should be made in a local file.

---
If this reply helps you, Karma would be appreciated.
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @AL3Z ,

as you can read at https://docs.splunk.com/Documentation/Splunk/9.1.1/admin/Inputsconf , blacklist uses a regex, so if in your logs there isn't the exact string EventCode="4662"  with equal and quotes, the filter doesn't work.

Use regex101 (as I did in my first answer) to find the regex to filter your logs.

Ciao.

Giuseppe

0 Karma

AL3Z
Builder

It's not 4662 it's 4688.

 

0 Karma

AL3Z
Builder

Nope, I have added $xmlRegex followed by your regex 

Is this a right one as you mentioned in the regex101 if not pls correct it 

blacklist5 = EventCode="4688" Message="\<EventID\>4688\<\/EventID\>.*\<Data Name\=\'NewProcessName\'\>.*(C:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense\.exe)|(C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\TaniumCX\.exe)"

 

Thanks

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @AL3Z,

don't use quotes:

blacklist5 = \<EventID\>4688\<\/EventID\>.*\<Data Name\=\'NewProcessName\'\>.*(C:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense\.exe)|(C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\TaniumCX\.exe)

Ciao.

Giuseppe

0 Karma

AL3Z
Builder

Hi @gcusello ,

Need an help from you to decode the xml  regex we have this  C:\Program Files (x86)\Tanium\Tanium Client\TaniumClient.exe in NewProcessName and ParentProcessName 

tried regex: its not excluding the events even after placing these both combinations.

blacklist4 = $XmlRegex=%<Provider[^>]+Name="Microsoft-Windows-Security-Auditing"% $XmlRegex=%<EventID>4688<\/EventID>% $XmlRegex=%<Data Name="NewProcessName">(C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\TaniumClient\.exe)<\/Data>%

blacklist5= $XmlRegex=%<Provider[^>]+Name="Microsoft-Windows-Security-Auditing"% $XmlRegex=%<EventID>4688<\/EventID>% $XmlRegex=%<Data Name="ParentProcessName">(C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\TaniumClient\.exe)<\/Data>%

Sample event:

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-11-27T11:53:55.027269400Z'/><EventRecordID>151278170</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='10472'/><Channel>Security</Channel><Computer>xyz.com</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>Admin$</Data><Data Name='SubjectDomainName'>EC</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='NewProcessId'>0x36ec</Data><Data Name='NewProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\TaniumClient.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x2888</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\TaniumClient.exe</Data><Data Name='MandatoryLabel'>Mandatory Label\System Mandatory Level</Data></EventData></Event>

 

Thanks..

0 Karma

AL3Z
Builder

Hi @gcusello ,

This regex is not working ! Do we need to use  followed by  EventCode="4688" Message="  "  to get it work ?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @AL3Z ,

it's a regex, instead these are Splunk fields: try only the regex.

the EventCode=4688 is inside the regex, so you don't need to repeat it.

Ciao.

Giuseppe

0 Karma

AL3Z
Builder

Hi @gcusello ,

I had gone through your one of the answer in the post 
 https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-inputs-conf/td-p/598999
, But in my case there is no Transforms.conf in my windows_ta app,H ow we can apply the same in my case and stop the logs from ingesting into splunk ?

Thanks

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @AL3Z,

blacklisting is in inputs.conf.

transformas.conf and props.conf is the second solution described in the above link used to filter logs on Indexers or Heavy Forwarders (if present), when you cannot filter logs on the Universal forwarder.

It isn't your situation: you have to find the exact regex, please try with my first regex, to insert in the blacklist option of your inputs.conf

Ciao.

Giuseppe

0 Karma

AL3Z
Builder
@gcusello Is this a right format of applying?

blacklist5
 = EventCode="4688" $XmlRegex="

\<EventID\>4688\<\/EventID\>.*\<Data Name\=\'NewProcessName\'\>.*(C:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense\.exe)|(C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\TaniumCX\.exe)"

 

Thanks..

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @AL3Z,

this regex seems to not work,

Did you tried the one I shared (that works on rgex101)?

Ciao.

Giuseppe

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The RHS of the blacklist setting must be in key=regex format where key is one of Category, CategoryString, ComputerName, EventCode, EventType, Keywords, LogName, Message, OpCode, RecordNumber, Sid, SidType, SourceName, TaskCategory, Type, or User; and regex is a regular expression enclosed in delimiters (quotes can be a delimiter).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Announcing the General Availability of Splunk Enterprise Security 8.1!

We are pleased to announce the general availability of Splunk Enterprise Security 8.1. Splunk becomes the only ...

Developer Spotlight with William Searle

The Splunk Guy: A Developer’s Path from Web to Cloud William is a Splunk Professional Services Consultant with ...