Getting Data In

How to achieve SEDCMD raw event size reduction?

DanAlexander
Communicator

Hello community,

I am having an issue creating appropriate SEDCMD to reduce the size of specific Win events.

I am trying to extract only one random bit (could be anything) and through all the rest before they get indexed.

Below is the raw Event and wanted to drop (it is large). I just want a single word/line. I did try the following but it did nothing. Under the Splunk_TA_Windows local/props I did put something like  [source::XmlWinEventLog:Security] SEDCMD-4688_splunkd_events_clearing=s/.\\Program Files\\.+\\splunkd\.exe//g 

----------------------------------------------- Raw Event---------------------------------------------------

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid=' XXXXXXXX -4994-a5ba-3e3b0328c30d}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-06-13T10:39:41.797279900Z'/><EventRecordID>12536409</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='15216'/><Channel>Security</Channel><Computer> XXXXXXXX </Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>XXXXXXXX</Data><Data Name='SubjectDomainName'> XXXXXXXX </Data><Data Name='SubjectLogonId'>0 XXXXXXXX 7</Data><Data Name='NewProcessId'>0x2734</Data><Data Name='NewProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x17d4</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Data><Data Name='MandatoryLabel'>XXXXXXXX -16384</Data></EventData></Event>

Caller_Domain = XXXXXXXX ller_User_Name = XXXXXXXX Channel = SecurityComputer = XXXXXXXX privEVentId = EventIDError_Code = -EventCode = 4688EventData_Xml = <Data Name='SubjectUserSid'> XXXXXXXX </Data><Data Name='SubjectUserName'> XXXXXXXX</Data><Data Name='SubjectDomainName'> XXXXXXXX </Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='NewProcessId'>0x2734</Data><Data Name='NewProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x17d4</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Data><Data Name='MandatoryLabel'>S-1-16-16384</Data>EventID = 4688EventRecordID = 12 XXXXXXXXid = '{54849625-XXXXXXXX-a5ba-3e3b0328c30d}'Keywords = 0x8020000000000000Level = 0Logon_ID = 0x3e7MandatoryLabel = S-1-16-16384Name = 'Microsoft-Windows-Security-Auditing'NewProcessId = 0x2XXXXXXXX4NewProcessName = C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeOpcode = 0ParentProcessName = C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeProcessID = '4'ProcessId = 0x17d4RecordNumber = 12536409SubjectDomainName = XXXXXXXXbjectLogonId = 0x3e7SubjectUserName = XXXXXXXX= S-1-5-18SystemTime = XXXXXXXX:39:41.797279900Z'System_Props_Xml = <Provider Name='Microsoft-Windows-Security-Auditing' Guid='{XXXXXXXX4994-a5ba-3e3b0328c30d}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-06-13T10XXXXXXXX/><EventRecordID>12536409</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='15216'/><Channel>Security</Channel><Computer>XXXXXXXX</Computer><Security/>TargetDomainName = -TargetLogonId = 0x0TargetUserName = -TargetUserSid = S-1-0-0Target_Domain = -Target_User_Name = -Task = 13312ThreadID = '15216'TokenElevationType = %%1936Token_Elevation_Type = %%1936Token_Elevation_Type_id = 1936Version = 2action = allowedapp = win:unknowndest = XXXXXXXX= XXXXXXXXcaracal01.greenstream.privdvc_nt_host = XXXXXXXXevent_id = 12536409eventtype = endpoint_services_processes eventtype = windows_endpoint_processes process report eventtype = windows_event_signature track_event_signatures eventtype = windows_process_new execute process start eventtype = wineventlog_security os windows eventtype = wineventlog_windows os windows eventtype = winsec securityhost = XXXXXXXXid = 12536409index = XXXXXXXXserverlinecount = 1name = A new process has been creatednew_process = C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exenew_process_id = 0x2734new_process_name = splunk-MonitorNoHandle.exeparent_process = C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeparent_process_id = 0x17d4parent_process_name = splunkd.exeparent_process_path = C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeprocess = C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeprocess_exec = splunk-MonitorNoHandle.exeprocess_id = 0XXXXXXXX4process_name = splunk-MonitorNoHandle.exeprocess_path = C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeproduct = Windowspunct = <_='://../////'><><_='---'_='{----}'/><></><></><>session_id = 0x3e7signature = A new process has been createdsignature_id = 4688source = XmlWinEventLog:Securitysourcetype = XmlWinEventLogsplunk_server = XXXXXXXX_nt_domain = XXXXXXXXsrc_user = XXXXXXXX$status = successsubject = A new process has been createdta_windows_action = failuretag = execute tag = os tag = process tag = report tag = security tag = start tag = track_event_signatures tag = windowsuser = XXXXXXXX$user_group = -vendor = Microsoftvendor_product = Microsoft Windows

Any help is much appreciated. Thank you All!

 

Labels (5)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @DanAlexander,

you can use the TRUNCATE option in props.conf to define the max lenght of each event.

to use SEDCMD, you have to identify a regex with the contents to maintain.

Can you highlight in bold the events' partes to maintain?

did you defined a rule about the contents to maintain?

Ciao.

Giuseppe

0 Karma

DanAlexander
Communicator

Thanks for the reply @gcusello 

I would like to replace all of the content with the following: ParentProcessName = C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe

Regards,

Dan

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @DanAlexander,

please try this:

SEDCMD = s/.*/ParentProcessName \= C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunkd\.exe/g

Ciao.

Giuseppe

0 Karma

DanAlexander
Communicator

I tried the following but still, events are intact:

[XmlWinEventLog]

SEDCMD = s/.*/ParentProcessName \= C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunkd\.exe/g

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @DanAlexander,

please try:

SEDCMD = s/.*/ParentProcessName\s*\=\s*C:\\Program\sFiles\\SplunkUniversalForwarder\\bin\\splunkd\.exe/g

it runs on regex101.com as you can see at https://regex101.com/r/TM5deo/1

if it doesn't run in Splunk, use three backslashes where there are two.

SEDCMD = s/.*/ParentProcessName\s*\=\s*C:\\\Program\sFiles\\\SplunkUniversalForwarder\\\bin\\\splunkd\.exe/g

Ciao.

Giuseppe

0 Karma

DanAlexander
Communicator

Unfortunately is not working

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @DanAlexander,

are you sure that your logs have sourcetype=XmlWinEventLog ?

Ciao.

Giuseppe

0 Karma

DanAlexander
Communicator

Hi @gcusello,

I am sure the below:

source=XmlWinEventLog:Security with sourcetype=XmlWinEventLog 

Thank you

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @DanAlexander,

only for testing, please try:

SEDCMD = s/.*/ParentProcessName/g

If this runs, the problem is the regex for the substitution.

ciao.

giuseppe

0 Karma

DanAlexander
Communicator

Hi @gcusello 

I cannot test it in production as one of the indexers throughs a replication error and I had to rollback.

All regexes work but when adding to the Splunk TA Windows under local props would not work and logs are of the same size.

Any other thoughts, please?

Regards,

Dan

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @DanAlexander,

could you use a test system with the same configurations?

I hinted this test because  all the times I had to work with regexes containing backslasher I found problems in Splunk, but the SEDCMD I share should be correct.

For this reason I'd like to understand if the problem is inside or outside the regex, to be focused on the issue.

Ciao.

Giuseppe

0 Karma

DanAlexander
Communicator

Hi @gcusello 

I did add the below to one of our indexers in /opt/splunk/etc/system/local/props.conf for testing as the highest precedence and searched specifically for events coming from that particular indexer and still no changes seen

WinEventLog]

SEDCMD=s/.*/ParentProcessName/g

 

[wineventlog]

SEDCMD=s/.*/ParentProcessName/g

 

[xmlwineventlog]

SEDCMD=s/.*/ParentProcessName/g

 

[XmlWinEventLog]

SEDCMD=s/.*/ParentProcessName/g

 

[source::WinEventLog:Security]

SEDCMD=s/.*/ParentProcessName/g

 

[WinEventLog:Security]

SEDCMD=s/.*/ParentProcessName/g

 

[WinEventLog:ForwardedEvents]

SEDCMD=s/.*/ParentProcessName/g

 

[source::WinEventLog:ForwardedEvents]

SEDCMD=s/.*/ParentProcessName/g

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @DanAlexander,

is there an intermediate Heavy Forwarder between the Universal Forwarder and the Indexers?

If yes, put this configuration also on these Heavy Forwarders.

Ciao.

Giuseppe

0 Karma

DanAlexander
Communicator

Hi @gcusello,

We do not have any HF and UF forwarding directly to our indexers.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @DanAlexander,

for my knowledge this parameter should run on Indexers (or HF if present), but only for test, could you add the SEDCMD also ti the props on UF?

Ciao,

Giuseppe

0 Karma

DanAlexander
Communicator

Apologies, for clarification the opening [ is there it was a copy/paste typo my side.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...