Getting Data In

Need an xml regex to exclude these events

AL3Z
Builder

Hi,

Is there someone here who can create an XML regular expression for these events to prevent them from being ingested into Splunk?

1. Sample Event:

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{XXXXX}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><xxx>0</Opcode><Keywords>xxxxx</Keywords><TimeCreated SystemTime='2023-11-27'/><EventRecordID>151284011</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='8768'/><Channel>Security</Channel><Computer>XXX.com</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>xxx\SYSTEM</Data><Data Name='SubjectUserName'>XXX$</Data><Data Name='SubjectDomainName'>EC</Data><Data Name='SubjectLogonId'>xxx</Data><Data Name='NewProcessId'>0x3878</Data><Data Name='NewProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\Patch\tools\TaniumExecWrapper.exe</Data><Data Name='TokenElevationType'>%%xxxx</Data><Data Name='ProcessId'>xxxx</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>xxx</Data><Data Name='ParentProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\TaniumClient.exe</Data><Data Name='MandatoryLabel'>Mandatory Label\System Mandatory Level</Data></EventData></Event>

THANKS

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @AL3Z,

let me understand: do you want to filter your logs to send these event to nullqueue or do you want to delete part of these events?

in the first case, you have to follow the instructions at https://docs.splunk.com/Documentation/Splunk/9.1.2/Forwarding/Routeandfilterdatad using this regex

\<Event xmlns\=\'http:\/\/schemas\.microsoft\.com\/win\/\d+\/\d+\/events\/event\'>

if you can share also events to maintain, I could be more sure abut the regex.

Ciao.

Giuseppe

0 Karma

AL3Z
Builder

HI @gcusello ,
I want to exclude these events by blacklisting  on inputs.conf so that it can be stop ingesting into splunk .........

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @AL3Z,

are they windows events?

if yes, you can blacklist them, if not, you cannot blacklist them in inputs.conf.

Then you have to check if the regex I shared is correct or too large, for this reasono I asked to share also events to not discard.

Ciao.

Giuseppe

0 Karma

AL3Z
Builder

@gcusello ,

Yes they're windows events...

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @AL3Z,

ok, I'm not sure that the regex I shared is ok for you: you shared events to discard, but I also need events to not discard, could you share them?

Ciao.

Giuseppe

0 Karma

AL3Z
Builder

@gcusello ,

These are the events which I want to exclude

<Data Name='NewProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\Patch\tools\TaniumExecWrapper.exe</Data>
<Data Name='ParentProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\TaniumClient.exe</Data>
<Data Name='NewProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe</Data>
<Data Name='ParentProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Data>
<Data Name='NewProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\Patch\tools\TaniumFileInfo.exe</Data>
<Data Name='ParentProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\Patch\tools\TaniumExecWrapper.exe</Data>
<Data Name='NewProcessName'>C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\10.8560.25364.1036\SenseCnCProxy.exe</Data>
<Data Name='ParentProcessName'>C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\10.8560.25364.1036\MsSense.exe</Data>

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @AL3Z,

if you want to discard the four samples you shared in the original question but not the last one, the above regex is correct, as you can check at https://regex101.com/r/x5zuYc/1

Ciao.

Giuseppe

0 Karma

AL3Z
Builder

@gcusello ,

Is this regex going to exclude all the windows events starting with this "\<Event xmlns\=\'http:\/\/schemas\.microsoft\.com\/win\/\d+\/\d+\/events\/event\'>"   right?

By the way my intention is to exclude all the secutiy tool events specific to eventcode 4688 eg, tanium,splunk ,windows defender etc.,

can we whitelist all the windows events like C:\\ Windows\\* 
we need to ingesting all the windows events like eg. cmd.exe,reg.exe etc., 

Thanks..




 

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @AL3Z,

both the approaches are correct.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...