Does anyone have core knowledge on how the remove all events the fulfill these two searches, then I’d be very pleased to hear how, as I’ve already spend quite a bit of time investigating, editing and...
See more...
Does anyone have core knowledge on how the remove all events the fulfill these two searches, then I’d be very pleased to hear how, as I’ve already spend quite a bit of time investigating, editing and deploying unfortunately still without lock: index=wineventlog EventCode=4672 host IN (SKEXCH0*) src_user IN (SKEXCH0*$) index=wineventlog EventID=4624 TargetUserName=cscad WorkstationName IN (VHPDOC540*) IpAddress=“122.85.52.*” Where the source for each of the two is as follows: 1. <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4672</EventID><Version>0</Version><Level>0</Level><Task>12548</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2022-10-22T20:49:51.515030900Z'/><EventRecordID>7104199399</EventRecordID><Correlation ActivityID='{08b0282e-d41c-0001-cb3d-b0081cd4d801}'/><Execution ProcessID='924' ThreadID='54024'/><Channel>Security</Channel><Computer>SKEXCH03.son.sok.net</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>SKEXCH03$</Data><Data Name='SubjectDomainName'>SON</Data><Data Name='SubjectLogonId'>0x183d0ad065</Data><Data Name='PrivilegeList'>SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege</Data></EventData></Event> 2. <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4624</EventID><Version>2</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2022-10-22T20:55:10.9831608Z'/><EventRecordID>790343401</EventRecordID><Correlation/><Execution ProcessID='860' ThreadID='11144'/><Channel>Security</Channel><Computer>SKDC02.son.sok.net</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-0-0</Data><Data Name='SubjectUserName'>-</Data><Data Name='SubjectDomainName'>-</Data><Data Name='SubjectLogonId'>0x0</Data><Data Name='TargetUserSid'>S-1-5-21-606747145-57989841-682003330-85457</Data><Data Name='TargetUserName'>cscad</Data><Data Name='TargetDomainName'>SON</Data><Data Name='TargetLogonId'>0x11a5ba720</Data><Data Name='LogonType'>3</Data><Data Name='LogonProcessName'>NtLmSsp </Data><Data Name='AuthenticationPackageName'>NTLM</Data><Data Name='WorkstationName'>VHPDOC540COP001</Data><Data Name='LogonGuid'>{00000000-0000-0000-0000-000000000000}</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>NTLM V2</Data><Data Name='KeyLength'>128</Data><Data Name='ProcessId'>0x0</Data><Data Name='ProcessName'>-</Data><Data Name='IpAddress'>122.85.52.113</Data><Data Name='IpPort'>53191</Data><Data Name='ImpersonationLevel'>%%1833</Data><Data Name='RestrictedAdminMode'>-</Data><Data Name='TargetOutboundUserName'>-</Data><Data Name='TargetOutboundDomainName'>-</Data><Data Name='VirtualAccount'>%%1843</Data><Data Name='TargetLinkedLogonId'>0x0</Data><Data Name='ElevatedToken'>%%1842</Data></EventData></Event> In the inputs.conf I’ve tried the following without any success – yet: [WinEventLog://Security]
disabled = 0
whitelist = 512,513,517,528,529,530,531,532,533,534,535,536,537,539,540,552,592,601,602,612,624,632,636,660,852,1102,4608,4616,4624,4625,4648,4649,4656,4662,4670,4672,4688,4697,4698,4702
,4719,4720,4723,4728,4732,4742,4746,4751,4756,4761,4768,4769,4771,4776,4794,5025,5152,5805,5827,5828,5829,5830,5831,7045,7468
## Blacklisted EventCodes for Exchange and cscad
blacklist3 = EventCode="4672" host="SKEXCH0.*" src_user="SKEXCH\d{2}\$"
blacklist4 = EventCode="4624" TargetUserName="cscad" WorkstationName="VHPDOC540.*" IpAddress="122\.85\.52\.\d{1,3}"
blacklist5 = $XmlRegex="<EventID>4672</\EventID>.*?<Computer>SKEXCH\d{2}\.[a-zA-Z0-9\.]+<\/Computer>.*?SubjectUserName'>SKEXCH\d{2}\$<\/Data>"
blacklist6 = $XmlRegex="EventID>4624<\/EventID>.*?Computer>SKDC\d+\.[a-zA-Z0-9\.]+<.*+TargetUserName'>cscad<\/Data>.*?'WorkstationName'>VHPDOC540[^<]+</Data.*?'IpAddress'>122\.85\.52\.\d{1,3}<\/Data>"
blacklist7 = $XmlRegex="\<EventID\>4672\</\EventID\>.*?<Computer\>SKEXCH\d{2}\.[a-zA-Z0-9\.]+\<\/Computer\>.*?SubjectUserName\'\>SKEXCH\d{2}\$\<\/Data\>"
blacklist8 = $XmlRegex="EventID>4624<\/EventID>.*?Computer>SKDC\d+\.[a-zA-Z0-9\.]+<.*+TargetUserName'>cscad<\/Data>.*?'WorkstationName'>VHPDOC540[^<]+</Data.*?'IpAddress'>122\.85\.52\.\d{1,3}<\/Data>"
renderXml=true
index = wineventlog