Splunk Search

Using blacklist on Windows TA and XML events

dieguiariel
Path Finder

Hi, ive successfully blacklisted the windows event 4658 with this line_

blacklist2 = $XmlRegex="<EventID>4658<\/EventID>.*<Data Name='ProcessName'>[C-F]:\\Windows\\System32\\CpqMgmt\\cqmghost\\cqmghost.exe"

ive tried to do the same for event 4656

blacklist1 = $XmlRegex="<EventID>4656<\/EventID>.*<Data Name='ProcessName'>[C-F]:\\Windows\\System32\\CpqMgmt\\cqmghost\\cqmghost.exe"

 

but isn't working. Any ideas?

 

inputs.conf:

 

[WinEventLog://Security]
disabled = 0
index = winevents

whitelist1 = 1102,4616,4647,4656-4658,4660,4663,4670,4672
whitelist2 = 4673,4674,4698-4702,4704,4705,4715,4719,4720
whitelist3 = 4722,4725,4726,4732,4733,4735,4738-4740,4767
whitelist3 = 4779,5140,5145

blacklist1 = $XmlRegex="<EventID>4656<\/EventID>.*<Data Name='ProcessName'>[C]:\\Windows\\System32\\CpqMgmt\\cqmghost\\cqmghost.exe"
blacklist2 = $XmlRegex="<EventID>4658<\/EventID>.*<Data Name='ProcessName'>[C-F]:\\Windows\\System32\\CpqMgmt\\cqmghost\\cqmghost.exe"

 

Raw event example

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4656</EventID><Version>1</Version><Level>0</Level><Task>12801</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2020-08-12T19:47:25.544399300Z'/><EventRecordID>1397935969</EventRecordID><Correlation/><Execution ProcessID='716' ThreadID='728'/><Channel>Security</Channel><Computer>svr-apl-cit-01.BANCOREGIONAL.LOCAL</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>SVR-APL-CIT-01$</Data><Data Name='SubjectDomainName'>BANCOREGIONAL</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='ObjectServer'>Security</Data><Data Name='ObjectType'>Key</Data><Data Name='ObjectName'>\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SamSs</Data><Data Name='HandleId'>0x584</Data><Data Name='TransactionId'>{00000000-0000-0000-0000-000000000000}</Data><Data Name='AccessList'>%%1537 %%1538 %%1539 %%1540 %%4432 %%4433 %%4434 %%4435 %%4436 %%4437 </Data><Data Name='AccessReason'>-</Data><Data Name='AccessMask'>0xf003f</Data><Data Name='PrivilegeList'>-</Data><Data Name='RestrictedSidCount'>0</Data><Data Name='ProcessId'>0x1ec0</Data><Data Name='ProcessName'>C:\Windows\System32\CpqMgmt\cqmghost\cqmghost.exe</Data><Data Name='ResourceAttributes'>-</Data></EventData></Event>

Thanks in advance.

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @dieguiariel,

you have to escape all the special chars in your regex (also <, \, =,  ', etc...).

So your regex should be something like these:

\<EventID\>4656\<\/EventID\>.*\<Data Name\=\'ProcessName\'\>(C|D|E|F):\\\\Windows\\\\System32\\\\CpqMgmt\\\\cqmghost\\\\cqmghost\.exe

 Ciao.

Giuseppe

0 Karma

dieguiariel
Path Finder

Hi!, it didn't work.

 

Finally i fixed like this:

blacklist1 = $XmlRegex="<Data Name='ProcessName'>[C]:\\Windows\\System32\\CpqMgmt\\cqmghost\\cqmghost.exe"

because i've needed filter this process from both event codes.

Don't know why didn't work the first way.

Thanks anyway.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @dieguiariel,

the regex to filter the events is:

\<EventID\>4656\<\/EventID\>.*\<Data Name\=\'ProcessName\'\>(C|D|E|F):\\Windows\\System32\\CpqMgmt\\cqmghost\\cqmghost\.exe

that you can check at https://regex101.com/r/a3QYcF/1

As I said, you have to escape all the special chars in your regex (also <, \, =,  ', etc...).

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...