Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to achieve SEDCMD raw event size reduction?

DanAlexander
Communicator
‎06-13-2023 04:20 AM

Hello community,

I am having an issue creating appropriate SEDCMD to reduce the size of specific Win events.

I am trying to extract only one random bit (could be anything) and through all the rest before they get indexed.

Below is the raw Event and wanted to drop (it is large). I just want a single word/line. I did try the following but it did nothing. Under the Splunk_TA_Windows local/props I did put something like  [source::XmlWinEventLog:Security] SEDCMD-4688_splunkd_events_clearing=s/.\\Program Files\\.+\\splunkd\.exe//g 

----------------------------------------------- Raw Event---------------------------------------------------

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid=' XXXXXXXX -4994-a5ba-3e3b0328c30d}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-06-13T10:39:41.797279900Z'/><EventRecordID>12536409</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='15216'/><Channel>Security</Channel><Computer> XXXXXXXX </Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>XXXXXXXX</Data><Data Name='SubjectDomainName'> XXXXXXXX </Data><Data Name='SubjectLogonId'>0 XXXXXXXX 7</Data><Data Name='NewProcessId'>0x2734</Data><Data Name='NewProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x17d4</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Data><Data Name='MandatoryLabel'>XXXXXXXX -16384</Data></EventData></Event>

Caller_Domain = XXXXXXXX ller_User_Name = XXXXXXXX Channel = SecurityComputer = XXXXXXXX privEVentId = EventIDError_Code = -EventCode = 4688EventData_Xml = <Data Name='SubjectUserSid'> XXXXXXXX </Data><Data Name='SubjectUserName'> XXXXXXXX</Data><Data Name='SubjectDomainName'> XXXXXXXX </Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='NewProcessId'>0x2734</Data><Data Name='NewProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x17d4</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Data><Data Name='MandatoryLabel'>S-1-16-16384</Data>EventID = 4688EventRecordID = 12 XXXXXXXXid = '{54849625-XXXXXXXX-a5ba-3e3b0328c30d}'Keywords = 0x8020000000000000Level = 0Logon_ID = 0x3e7MandatoryLabel = S-1-16-16384Name = 'Microsoft-Windows-Security-Auditing'NewProcessId = 0x2XXXXXXXX4NewProcessName = C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeOpcode = 0ParentProcessName = C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeProcessID = '4'ProcessId = 0x17d4RecordNumber = 12536409SubjectDomainName = XXXXXXXXbjectLogonId = 0x3e7SubjectUserName = XXXXXXXX= S-1-5-18SystemTime = XXXXXXXX:39:41.797279900Z'System_Props_Xml = <Provider Name='Microsoft-Windows-Security-Auditing' Guid='{XXXXXXXX4994-a5ba-3e3b0328c30d}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-06-13T10XXXXXXXX/><EventRecordID>12536409</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='15216'/><Channel>Security</Channel><Computer>XXXXXXXX</Computer><Security/>TargetDomainName = -TargetLogonId = 0x0TargetUserName = -TargetUserSid = S-1-0-0Target_Domain = -Target_User_Name = -Task = 13312ThreadID = '15216'TokenElevationType = %%1936Token_Elevation_Type = %%1936Token_Elevation_Type_id = 1936Version = 2action = allowedapp = win:unknowndest = XXXXXXXX= XXXXXXXXcaracal01.greenstream.privdvc_nt_host = XXXXXXXXevent_id = 12536409eventtype = endpoint_services_processes eventtype = windows_endpoint_processes process report eventtype = windows_event_signature track_event_signatures eventtype = windows_process_new execute process start eventtype = wineventlog_security os windows eventtype = wineventlog_windows os windows eventtype = winsec securityhost = XXXXXXXXid = 12536409index = XXXXXXXXserverlinecount = 1name = A new process has been creatednew_process = C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exenew_process_id = 0x2734new_process_name = splunk-MonitorNoHandle.exeparent_process = C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeparent_process_id = 0x17d4parent_process_name = splunkd.exeparent_process_path = C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeprocess = C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeprocess_exec = splunk-MonitorNoHandle.exeprocess_id = 0XXXXXXXX4process_name = splunk-MonitorNoHandle.exeprocess_path = C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeproduct = Windowspunct = <_='://../////'><><_='---'_='{----}'/><></><></><>session_id = 0x3e7signature = A new process has been createdsignature_id = 4688source = XmlWinEventLog:Securitysourcetype = XmlWinEventLogsplunk_server = XXXXXXXX_nt_domain = XXXXXXXXsrc_user = XXXXXXXX$status = successsubject = A new process has been createdta_windows_action = failuretag = execute tag = os tag = process tag = report tag = security tag = start tag = track_event_signatures tag = windowsuser = XXXXXXXX$user_group = -vendor = Microsoftvendor_product = Microsoft Windows

Any help is much appreciated. Thank you All!

 

Labels (5)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-13-2023 04:44 AM

Hi @DanAlexander,

you can use the TRUNCATE option in props.conf to define the max lenght of each event.

to use SEDCMD, you have to identify a regex with the contents to maintain.

Can you highlight in bold the events' partes to maintain?

did you defined a rule about the contents to maintain?

Ciao.

Giuseppe

0 Karma
Reply

DanAlexander
Communicator
‎06-13-2023 04:50 AM

Thanks for the reply @gcusello 

I would like to replace all of the content with the following: ParentProcessName = C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe

Regards,

Dan

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-13-2023 04:53 AM

Hi @DanAlexander,

please try this:

SEDCMD = s/.*/ParentProcessName \= C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunkd\.exe/g

Ciao.

Giuseppe

0 Karma
Reply

DanAlexander
Communicator
‎06-13-2023 05:39 AM

I tried the following but still, events are intact:

[XmlWinEventLog]

SEDCMD = s/.*/ParentProcessName \= C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunkd\.exe/g

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-13-2023 05:48 AM

Hi @DanAlexander,

please try:

SEDCMD = s/.*/ParentProcessName\s*\=\s*C:\\Program\sFiles\\SplunkUniversalForwarder\\bin\\splunkd\.exe/g

it runs on regex101.com as you can see at https://regex101.com/r/TM5deo/1

if it doesn't run in Splunk, use three backslashes where there are two.

SEDCMD = s/.*/ParentProcessName\s*\=\s*C:\\\Program\sFiles\\\SplunkUniversalForwarder\\\bin\\\splunkd\.exe/g

Ciao.

Giuseppe

0 Karma
Reply

DanAlexander
Communicator
‎06-13-2023 06:17 AM

Unfortunately is not working

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-13-2023 06:30 AM

Hi @DanAlexander,

are you sure that your logs have sourcetype=XmlWinEventLog ?

Ciao.

Giuseppe

0 Karma
Reply

DanAlexander
Communicator
‎06-13-2023 07:24 AM

Hi @gcusello,

I am sure the below:

source=XmlWinEventLog:Security with sourcetype=XmlWinEventLog 

Thank you

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-13-2023 07:55 AM

Hi @DanAlexander,

only for testing, please try:

SEDCMD = s/.*/ParentProcessName/g

If this runs, the problem is the regex for the substitution.

ciao.

giuseppe

0 Karma
Reply

DanAlexander
Communicator
‎06-13-2023 08:29 AM

Hi @gcusello 

I cannot test it in production as one of the indexers throughs a replication error and I had to rollback.

All regexes work but when adding to the Splunk TA Windows under local props would not work and logs are of the same size.

Any other thoughts, please?

Regards,

Dan

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-14-2023 12:18 AM

Hi @DanAlexander,

could you use a test system with the same configurations?

I hinted this test because  all the times I had to work with regexes containing backslasher I found problems in Splunk, but the SEDCMD I share should be correct.

For this reason I'd like to understand if the problem is inside or outside the regex, to be focused on the issue.

Ciao.

Giuseppe

0 Karma
Reply

DanAlexander
Communicator
‎06-14-2023 01:58 AM

Hi @gcusello 

I did add the below to one of our indexers in /opt/splunk/etc/system/local/props.conf for testing as the highest precedence and searched specifically for events coming from that particular indexer and still no changes seen

WinEventLog]

SEDCMD=s/.*/ParentProcessName/g

 

[wineventlog]

SEDCMD=s/.*/ParentProcessName/g

 

[xmlwineventlog]

SEDCMD=s/.*/ParentProcessName/g

 

[XmlWinEventLog]

SEDCMD=s/.*/ParentProcessName/g

 

[source::WinEventLog:Security]

SEDCMD=s/.*/ParentProcessName/g

 

[WinEventLog:Security]

SEDCMD=s/.*/ParentProcessName/g

 

[WinEventLog:ForwardedEvents]

SEDCMD=s/.*/ParentProcessName/g

 

[source::WinEventLog:ForwardedEvents]

SEDCMD=s/.*/ParentProcessName/g

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-14-2023 11:27 PM

Hi @DanAlexander,

is there an intermediate Heavy Forwarder between the Universal Forwarder and the Indexers?

If yes, put this configuration also on these Heavy Forwarders.

Ciao.

Giuseppe

0 Karma
Reply

DanAlexander
Communicator
‎06-15-2023 02:44 AM

Hi @gcusello,

We do not have any HF and UF forwarding directly to our indexers.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-15-2023 02:47 AM

Hi @DanAlexander,

for my knowledge this parameter should run on Indexers (or HF if present), but only for test, could you add the SEDCMD also ti the props on UF?

Ciao,

Giuseppe

0 Karma
Reply

DanAlexander
Communicator
‎06-14-2023 02:02 AM

Apologies, for clarification the opening [ is there it was a copy/paste typo my side.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...