Using blacklist on Windows TA and XML events

dieguiariel · ‎08-12-2020

Hi, ive successfully blacklisted the windows event 4658 with this line_

blacklist2 = $XmlRegex="<EventID>4658<\/EventID>.*<Data Name='ProcessName'>[C-F]:\\Windows\\System32\\CpqMgmt\\cqmghost\\cqmghost.exe"

ive tried to do the same for event 4656

blacklist1 = $XmlRegex="<EventID>4656<\/EventID>.*<Data Name='ProcessName'>[C-F]:\\Windows\\System32\\CpqMgmt\\cqmghost\\cqmghost.exe"

but isn't working. Any ideas?

inputs.conf:

[WinEventLog://Security]
disabled = 0
index = winevents

whitelist1 = 1102,4616,4647,4656-4658,4660,4663,4670,4672
whitelist2 = 4673,4674,4698-4702,4704,4705,4715,4719,4720
whitelist3 = 4722,4725,4726,4732,4733,4735,4738-4740,4767
whitelist3 = 4779,5140,5145

blacklist1 = $XmlRegex="<EventID>4656<\/EventID>.*<Data Name='ProcessName'>[C]:\\Windows\\System32\\CpqMgmt\\cqmghost\\cqmghost.exe"
blacklist2 = $XmlRegex="<EventID>4658<\/EventID>.*<Data Name='ProcessName'>[C-F]:\\Windows\\System32\\CpqMgmt\\cqmghost\\cqmghost.exe"

Raw event example

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4656</EventID><Version>1</Version><Level>0</Level><Task>12801</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2020-08-12T19:47:25.544399300Z'/><EventRecordID>1397935969</EventRecordID><Correlation/><Execution ProcessID='716' ThreadID='728'/><Channel>Security</Channel><Computer>svr-apl-cit-01.BANCOREGIONAL.LOCAL</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>SVR-APL-CIT-01$</Data><Data Name='SubjectDomainName'>BANCOREGIONAL</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='ObjectServer'>Security</Data><Data Name='ObjectType'>Key</Data><Data Name='ObjectName'>\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SamSs</Data><Data Name='HandleId'>0x584</Data><Data Name='TransactionId'>{00000000-0000-0000-0000-000000000000}</Data><Data Name='AccessList'>%%1537 %%1538 %%1539 %%1540 %%4432 %%4433 %%4434 %%4435 %%4436 %%4437 </Data><Data Name='AccessReason'>-</Data><Data Name='AccessMask'>0xf003f</Data><Data Name='PrivilegeList'>-</Data><Data Name='RestrictedSidCount'>0</Data><Data Name='ProcessId'>0x1ec0</Data><Data Name='ProcessName'>C:\Windows\System32\CpqMgmt\cqmghost\cqmghost.exe</Data><Data Name='ResourceAttributes'>-</Data></EventData></Event>

Thanks in advance.

gcusello · ‎08-13-2020

Hi @dieguiariel,

you have to escape all the special chars in your regex (also <, \, =, ', etc...).

So your regex should be something like these:

\<EventID\>4656\<\/EventID\>.*\<Data Name\=\'ProcessName\'\>(C|D|E|F):\\\\Windows\\\\System32\\\\CpqMgmt\\\\cqmghost\\\\cqmghost\.exe

Ciao.

Giuseppe

dieguiariel · ‎08-17-2020

Hi!, it didn't work.

Finally i fixed like this:

blacklist1 = $XmlRegex="<Data Name='ProcessName'>[C]:\\Windows\\System32\\CpqMgmt\\cqmghost\\cqmghost.exe"

because i've needed filter this process from both event codes.

Don't know why didn't work the first way.

Thanks anyway.

gcusello · ‎08-18-2020

Hi @dieguiariel,

the regex to filter the events is:

\<EventID\>4656\<\/EventID\>.*\<Data Name\=\'ProcessName\'\>(C|D|E|F):\\Windows\\System32\\CpqMgmt\\cqmghost\\cqmghost\.exe

that you can check at https://regex101.com/r/a3QYcF/1

As I said, you have to escape all the special chars in your regex (also <, \, =, ', etc...).

Ciao.

Giuseppe

Using blacklist on Windows TA and XML events

regex

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor