Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Using blacklist on Windows TA and XML events

dieguiariel
Path Finder
‎08-12-2020 01:08 PM

Hi, ive successfully blacklisted the windows event 4658 with this line_

blacklist2 = $XmlRegex="<EventID>4658<\/EventID>.*<Data Name='ProcessName'>[C-F]:\\Windows\\System32\\CpqMgmt\\cqmghost\\cqmghost.exe"

ive tried to do the same for event 4656

blacklist1 = $XmlRegex="<EventID>4656<\/EventID>.*<Data Name='ProcessName'>[C-F]:\\Windows\\System32\\CpqMgmt\\cqmghost\\cqmghost.exe"

 

but isn't working. Any ideas?

 

inputs.conf:

 

[WinEventLog://Security]
disabled = 0
index = winevents

whitelist1 = 1102,4616,4647,4656-4658,4660,4663,4670,4672
whitelist2 = 4673,4674,4698-4702,4704,4705,4715,4719,4720
whitelist3 = 4722,4725,4726,4732,4733,4735,4738-4740,4767
whitelist3 = 4779,5140,5145

blacklist1 = $XmlRegex="<EventID>4656<\/EventID>.*<Data Name='ProcessName'>[C]:\\Windows\\System32\\CpqMgmt\\cqmghost\\cqmghost.exe"
blacklist2 = $XmlRegex="<EventID>4658<\/EventID>.*<Data Name='ProcessName'>[C-F]:\\Windows\\System32\\CpqMgmt\\cqmghost\\cqmghost.exe"

 

Raw event example

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4656</EventID><Version>1</Version><Level>0</Level><Task>12801</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2020-08-12T19:47:25.544399300Z'/><EventRecordID>1397935969</EventRecordID><Correlation/><Execution ProcessID='716' ThreadID='728'/><Channel>Security</Channel><Computer>svr-apl-cit-01.BANCOREGIONAL.LOCAL</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>SVR-APL-CIT-01$</Data><Data Name='SubjectDomainName'>BANCOREGIONAL</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='ObjectServer'>Security</Data><Data Name='ObjectType'>Key</Data><Data Name='ObjectName'>\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SamSs</Data><Data Name='HandleId'>0x584</Data><Data Name='TransactionId'>{00000000-0000-0000-0000-000000000000}</Data><Data Name='AccessList'>%%1537 %%1538 %%1539 %%1540 %%4432 %%4433 %%4434 %%4435 %%4436 %%4437 </Data><Data Name='AccessReason'>-</Data><Data Name='AccessMask'>0xf003f</Data><Data Name='PrivilegeList'>-</Data><Data Name='RestrictedSidCount'>0</Data><Data Name='ProcessId'>0x1ec0</Data><Data Name='ProcessName'>C:\Windows\System32\CpqMgmt\cqmghost\cqmghost.exe</Data><Data Name='ResourceAttributes'>-</Data></EventData></Event>

Thanks in advance.

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-13-2020 02:04 AM

Hi @dieguiariel,

you have to escape all the special chars in your regex (also <, \, =,  ', etc...).

So your regex should be something like these:

\<EventID\>4656\<\/EventID\>.*\<Data Name\=\'ProcessName\'\>(C|D|E|F):\\\\Windows\\\\System32\\\\CpqMgmt\\\\cqmghost\\\\cqmghost\.exe

 Ciao.

Giuseppe

0 Karma
Reply

dieguiariel
Path Finder
‎08-17-2020 05:44 AM

Hi!, it didn't work.

 

Finally i fixed like this:

blacklist1 = $XmlRegex="<Data Name='ProcessName'>[C]:\\Windows\\System32\\CpqMgmt\\cqmghost\\cqmghost.exe"

because i've needed filter this process from both event codes.

Don't know why didn't work the first way.

Thanks anyway.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-18-2020 12:41 AM

Hi @dieguiariel,

the regex to filter the events is:

\<EventID\>4656\<\/EventID\>.*\<Data Name\=\'ProcessName\'\>(C|D|E|F):\\Windows\\System32\\CpqMgmt\\cqmghost\\cqmghost\.exe

that you can check at https://regex101.com/r/a3QYcF/1

As I said, you have to escape all the special chars in your regex (also <, \, =,  ', etc...).

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...