Splunk Search

Using blacklist on Windows TA and XML events

dieguiariel
Path Finder

Hi, ive successfully blacklisted the windows event 4658 with this line_

blacklist2 = $XmlRegex="<EventID>4658<\/EventID>.*<Data Name='ProcessName'>[C-F]:\\Windows\\System32\\CpqMgmt\\cqmghost\\cqmghost.exe"

ive tried to do the same for event 4656

blacklist1 = $XmlRegex="<EventID>4656<\/EventID>.*<Data Name='ProcessName'>[C-F]:\\Windows\\System32\\CpqMgmt\\cqmghost\\cqmghost.exe"

 

but isn't working. Any ideas?

 

inputs.conf:

 

[WinEventLog://Security]
disabled = 0
index = winevents

whitelist1 = 1102,4616,4647,4656-4658,4660,4663,4670,4672
whitelist2 = 4673,4674,4698-4702,4704,4705,4715,4719,4720
whitelist3 = 4722,4725,4726,4732,4733,4735,4738-4740,4767
whitelist3 = 4779,5140,5145

blacklist1 = $XmlRegex="<EventID>4656<\/EventID>.*<Data Name='ProcessName'>[C]:\\Windows\\System32\\CpqMgmt\\cqmghost\\cqmghost.exe"
blacklist2 = $XmlRegex="<EventID>4658<\/EventID>.*<Data Name='ProcessName'>[C-F]:\\Windows\\System32\\CpqMgmt\\cqmghost\\cqmghost.exe"

 

Raw event example

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4656</EventID><Version>1</Version><Level>0</Level><Task>12801</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2020-08-12T19:47:25.544399300Z'/><EventRecordID>1397935969</EventRecordID><Correlation/><Execution ProcessID='716' ThreadID='728'/><Channel>Security</Channel><Computer>svr-apl-cit-01.BANCOREGIONAL.LOCAL</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>SVR-APL-CIT-01$</Data><Data Name='SubjectDomainName'>BANCOREGIONAL</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='ObjectServer'>Security</Data><Data Name='ObjectType'>Key</Data><Data Name='ObjectName'>\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SamSs</Data><Data Name='HandleId'>0x584</Data><Data Name='TransactionId'>{00000000-0000-0000-0000-000000000000}</Data><Data Name='AccessList'>%%1537 %%1538 %%1539 %%1540 %%4432 %%4433 %%4434 %%4435 %%4436 %%4437 </Data><Data Name='AccessReason'>-</Data><Data Name='AccessMask'>0xf003f</Data><Data Name='PrivilegeList'>-</Data><Data Name='RestrictedSidCount'>0</Data><Data Name='ProcessId'>0x1ec0</Data><Data Name='ProcessName'>C:\Windows\System32\CpqMgmt\cqmghost\cqmghost.exe</Data><Data Name='ResourceAttributes'>-</Data></EventData></Event>

Thanks in advance.

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @dieguiariel,

you have to escape all the special chars in your regex (also <, \, =,  ', etc...).

So your regex should be something like these:

\<EventID\>4656\<\/EventID\>.*\<Data Name\=\'ProcessName\'\>(C|D|E|F):\\\\Windows\\\\System32\\\\CpqMgmt\\\\cqmghost\\\\cqmghost\.exe

 Ciao.

Giuseppe

0 Karma

dieguiariel
Path Finder

Hi!, it didn't work.

 

Finally i fixed like this:

blacklist1 = $XmlRegex="<Data Name='ProcessName'>[C]:\\Windows\\System32\\CpqMgmt\\cqmghost\\cqmghost.exe"

because i've needed filter this process from both event codes.

Don't know why didn't work the first way.

Thanks anyway.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @dieguiariel,

the regex to filter the events is:

\<EventID\>4656\<\/EventID\>.*\<Data Name\=\'ProcessName\'\>(C|D|E|F):\\Windows\\System32\\CpqMgmt\\cqmghost\\cqmghost\.exe

that you can check at https://regex101.com/r/a3QYcF/1

As I said, you have to escape all the special chars in your regex (also <, \, =,  ', etc...).

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...