×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
SplunkUser5
Explorer
Member since: ‎11-21-2023
‎11-12-2024
Community Statistics
Posts 5
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎11-21-2023
View All

Re: Issue excluding Windows events for a specific ...

by in Getting Data In
‎03-15-2024 04:31 PM
‎03-15-2024 04:31 PM
I finally tried this using a different index and it worked just fine. I'm thinking it's an issue with the Forwarded Events channel forwarding issue introduced in v9.1. Once we upgrade to v9.2, it should work just fine for EventID 4688. Again, thanks for the input! ... View more

Re: Issue excluding Windows events for a specific ...

by in Getting Data In
‎03-15-2024 04:29 PM
‎03-15-2024 04:29 PM
I did get the exclusion under inputs.conf to work with different indexes using this format, just with double slashes rather than triple or quadruple, so there's just an issue with how my Windows security events are setup. We're upgrading to v9.2 soon in case it's an issue with the arbitrary formatting of the Forwarded Events channel from the v9.1 update. The inputs.conf exclusion seems to work with everything else. ... View more

Re: Issue excluding Windows events for a specific ...

by in Getting Data In
‎02-22-2024 04:36 PM
‎02-22-2024 04:36 PM
Thanks for the input. Escaping the escape characters seems a bit silly, but alright. I couldn't get it working today so I'll try a few more variations next week as I have time. Appreciate the help! ... View more

Re: Issue excluding Windows events for a specific ...

by in Getting Data In
‎02-22-2024 04:30 PM
‎02-22-2024 04:30 PM
Did not realize that. Thank you for the correction. Removing quotes didn't exclude the Teams events though so I must have something else set wrong. As far as what I have posted, does it seem right? I'm not super familiar with troubleshooting props.conf and transforms.conf settings yet. ... View more

Issue excluding Windows events for a specific new ...

by in Getting Data In
‎02-21-2024 02:51 PM
‎02-21-2024 02:51 PM
Hi Folks, I'm running into trouble excluding new process creation events for Teams from being indexed. It's an expected application and starts at logon so we're not super worried about it. I've looked at a handful of community articles, tried what was posted, and I'm stumped. My regex syntax looks fine, but Splunk still isn't excluding the events. Here's what I've tried so far: _____inputs.conf_____ blacklist3 = EventCode="4688" new_process_name=".*Teams.exe" blacklist3 = $XmlRegex="<EventID>4688<\/EventID>.*<Data Name='NewProcessName'>C:\\Users\\.*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams\.exe<\/Data>" blacklist3 = $XmlRegex="<EventID>4688<\/EventID>.*<DataName='NewProcessName'>C:\\Users\\.*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams\.exe<\/Data>" blacklist3 = EventCode="4688" $XmlRegex="Name=\'NewProcessName\'>C:\\Users\\.*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe<\/Data>" None of these have worked. I found a couple community articles saying props.conf and transforms.conf was the proper way to filter out events so I tried these as well: _____props.conf_____ [WinEventLog:Security] TRANSFORMS-null = 4688cleanup _____transforms.conf_____ [4688cleanup] REGEX = "Teams\.exe<\/Data>" DEST_KEY = queue FORMAT = nullQueue And this: _____transforms.conf_____ [4688cleanup] REGEX = <EventID>4688<\/EventID>.*<DataName='NewProcessName'>C:\\Users\\.*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams\.exe<\/Data> DEST_KEY = queue FORMAT = nullQueue None of these have worked so far and I'd appreciate any input y'all have. Here is a copy of an event I'm trying to exclude from being indexed (Teams.exe as a new process): <Event xmlns='http:// schemas .microsoft .com/win/2004/08/events/event '><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-02-21T22:11:25.7542758Z'/><EventRecordID>4096881</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='1124'/><Channel>Security</Channel><Computer>{Device_FQDN}</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-1-11-111111111-111111111-1111111111-111111</Data><Data Name='SubjectUserName'>{user}</Data><Data Name='SubjectDomainName'>{Domain}</Data><Data Name='SubjectLogonId'>0x11111111</Data><Data Name='NewProcessId'>0x5864</Data><Data Name='NewProcessName'>C:\Users\{user}\AppData\Local\Microsoft\Teams\current\Teams.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x4604</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Users\{user}\AppData\Local\Microsoft\Teams\current\Teams.exe</Data><Data Name='MandatoryLabel'>S-1-11-1111</Data></EventData></Event> And a copy of an event we'd like to keep (Teams.exe as a parent process, but not the new process): <Event xmlns='http:// schemas .microsoft .com/win/2004/08/events/event '><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-02-21T22:33:19.5932251Z'/><EventRecordID>4212468</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='31196'/><Channel>Security</Channel><Computer>{Device_FQNDN</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-1-11-111111111-111111111-1111111111-111111</Data><Data Name='SubjectUserName'>{user}</Data><Data Name='SubjectDomainName'>{Domain}</Data><Data Name='SubjectLogonId'>0x1111111</Data><Data Name='NewProcessId'>0x7664</Data><Data Name='NewProcessName'>C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x4238</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Users\{user}\AppData\Local\Microsoft\Teams\current\Teams.exe</Data><Data Name='MandatoryLabel'>S-1-11-1111</Data></EventData></Event>     Events obfuscated for privacy. Like I said, the regex syntax looks fine as far as I can tell and matches in regex101 so I'm hoping it's a small thing I'm overlooking. We're running Splunk v9.1.1 if that makes any difference. Thanks! -SplunkUser5 ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎11-12-2024 04:28 PM
Karma given to
View All