Splunk Search

How to blacklist EventCode 5145 with Wineventlog?

sun1000
Path Finder

I am trying to blacklist EventCode 5145 with specific message and it is not working.

Example Event:

LogName=Security
SourceName=Microsoft-Windows-Security-Auditing
EventCode=5145
EventType=4
Type=Success Audit
ComputerName=xxxx
Category=11111
CategoryString=none
RecordNumber=xxxx
Message=A network share object was checked to see whether client can be granted desired access.

Subject:
Security ID: 
Account Name: 
Account Domain: 
Logon ID: 

Network Information:
Object Type: File
Source Address: 
Source Port: 

Share Information:
Share Name: 
Share Path: \
Relative Target Name: x.dxmdg.com\Policies\{123456789456456456454654464546464558655}\Machine\Preferences\Registry\Registry.xml

Access Request Information:
Access Mask: 
Accesses: 

Access Check Results:

 

With below blacklist and it is not working
blacklist4 = EventCode="5145" Message="Relative Target Name:\s.+Registry.xml"

Please provide some suggestions

Labels (1)
0 Karma

gcusello
Legend

Hi @sun1000,

in blacklist and whitelist options, you have to use a regex not only insert your conditions.

So please find the correct regex and try something like this:

| rex "(?ms)EventCode\=5145.*Message\=Relative Target Name:\s.+Registry\.xml"

You can see a similar regex at https://regex101.com/r/7HVoS2/1 

Ciao.

Giuseppe

0 Karma

despoilerr
Loves-to-Learn Lots

hi @gcusello  i have a similar issue and i am trying to Blacklist the eventCode 4662 on universal forwarder except when AccountName!=*$ Accessmask= 0x100

Sample Log
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4662
EventType=0
Type=Information
ComputerName=xxxxxxxxxxxxxxxxxxxxxxxx
TaskCategory=Directory Service Access
OpCode=Info
RecordNumber=1079080612
Keywords=Audit Success
Message=An operation was performed on an object.

Subject :
Security ID: xx\Axxxxx
Account Name: Axxxxx
Account Domain: xxxx
Logon ID: xxxxxxxx

Object:
Object Server: DS
Object Type: computer
Object Name: CN=YDxxxx,OU=xxxxx,OU=xxxx,OU=xxxxx,DC=xxxx,DC=xxxx,DC=xxx
Handle ID: 0x0

Operation:
Operation Type: Object Access
Accesses: Control Access

Access Mask: 0x100
Properties: Control Access
Default Property Set
ms-Mcs-AdmPwd
computer


Additional Information:
Parameter 1: -
Parameter 2:

 
I tried multiple regex and didnt work in my inputs.conf

1) blacklist1 = EventCode="4662"  Message="(Object Type:(?=\s*groupPolicyContainer))
[\s\S]*((Properties:(?=[\s\S]*Default Property Set(.*)\s*ms-Mcs-AdmPwd))(Access Mask:(?=[\s\S]*0x100)))"

2) blacklist1 = EventCode="4662" Message="(?ms)Account\sName:[\s\S]*\$*Access\sMask:[\s\S]+0x(0$|1$|2$|20$)"



0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...