Solved: Blacklisting in [WinEventLog://Security]

nick_currie · ‎03-15-2023

Im looking to drop EventID 4673 where the action=failure

Here is an example log

3/15/2023 02:51:42 PM LogName=Security EventCode=4673 EventType=0 ComputerName=redacted SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=redacted Keywords=Audit Failure TaskCategory=Sensitive Privilege Use OpCode=Info Message=A privileged service was called. Subject: Security ID: redacted Account Name: redacted Account Domain: redacted Logon ID: redacted Service: Server: Security Service Name: Process: Process ID: xxxxx Process Name: C:\Windows\System32\backgroundTaskHost.exe Service Request Information: Privileges: SeTcbPrivilege

From reading

https://docs.splunk.com/Documentation/Splunk/8.2.6/Admin/Inputsconf?_ga=2.40401506.1999669205.1678852413-817152181.1624861549&_gl=1*s1kmhp*_ga*ODE3MTUyMTgxLjE2MjQ4NjE1NDk.*_ga_5EPM2P39FV*MTY3ODg2MDY5OS44Ni4xLjE2Nzg4NjA3NjAuNjAuMC4w#Event_Log_allow_list_and_deny_list_formats

I can see that action is not a valid field to filter on?

# Valid keys for the key=regex format:

* The following keys are equivalent to the fields that appear in the text of
  the acquired events:
  * Category, CategoryString, ComputerName, EventCode, EventType, Keywords,
    LogName, Message, OpCode, RecordNumber, Sid, SidType, SourceName,
    TaskCategory, Type, User

So i chose to use Keywords which has the value Audit Failure

Here is my inputs.conf

---------------------

[WinEventLog://Security]
disabled = 0
index=corp_oswinsec
current_only=1
evt_resolve_ad_obj=0
checkpointInterval = 5

blacklist1 = EventCode="4673" Keywords="Audit Failure"

--------------------------------

I am still seeing these events being indexed however - any tips on where i am going wrong would be much appreciated!

nick_currie · ‎03-16-2023

Ok thanks Rick - What worked for this was

EventCode="4673" Keywords=".*Failure"

Thanks for your help!

View solution in original post

nick_currie · ‎03-15-2023

Further testing has shown i can filter with regex on the Message field - such as this to filter out any msedge events.
blacklist = EventCode="4673" Message=".*Edge"

The issue is that the Message field does not contain whether it is successful or not. That information is only within the Keywords field of the fields that the UF is supposed to be able to blacklist with.. Is this a bug or do I need to do this another way? I dont want to have to send all of this traffic back to a HF to filter it as we have some mobile devices that send logs directly to splunk cloud so as not to require the VPN.

PickleRick · ‎03-15-2023

I'm not sure I follow. If the Success/Failure value is stored in Keywords field, you can't match against it on Message field.

In such case you should match on

EventCode=4673 Keywords=Failure

nick_currie · ‎03-15-2023

No what i mean is that the regex does not seem to work for me on the Keywords field. Have you tried?

PickleRick · ‎03-15-2023

No. I "misadvised" you. I forgot that indeed the regex must be surrounded by something (and since you used a quote, I mistook it with the typical mistake in props.conf).

Yes, the regex must be surrounded by something so that the UF can properly find where the spearate regexes start and end.

So it turns out it should be done like this:

EventCode="4673" Keywords="Failure"

or

EventCode=%4673% Keywords=%Failure%

or

EventCode=*4673* Keywords=/Failure/

...

nick_currie · ‎03-16-2023

Ok thanks Rick - What worked for this was

EventCode="4673" Keywords=".*Failure"

Thanks for your help!

nick_currie · ‎03-15-2023

Thanks for the suggestions however none of them work - i have tried both of those as well as various other options combinations - with and without quotes on the eventcode and on the keywords statement

blacklist = EventCode=4673 Keywords=Audit\sFailure

blacklist = EventCode=4673.*Keywords=Audit Failure

what i have discovered is that I can blacklist the entire event easily enough by using

blacklist = EventCode="4673"

but when i try to blacklist the event without quotes it doesnt work.

However I would like to keep the successful events in splunk - has anyone else managed this and is willing to share their configuration?

PickleRick · ‎03-15-2023

Specifying regexes for white/blacklisting can be a PITA sometimes. Instead of

EventCode="4673" Keywords="Audit Failure"

Try

EventCode=4673 Keywords=Audit\sFailure

In your case quotes are interpreted as parts of regexes so if your values don't contain them, they're not getting filtered out.

gcusello · ‎03-15-2023

Hi @nick_currie,

to blacklist events you can use more approaches in wineventlog:

blacklist = <comma-separated list> | key=regex [key=regex]

if you have more fields, I'd prefer to use a regex

blacklist = EventCode=4673.*Keywords=Audit Failure

Ciao.

Giuseppe

Blacklisting in [WinEventLog://Security]

blacklist

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!