Hi,
Is there someone here who can create an XML regular expression for these events to prevent them from being ingested into Splunk?
1. Sample Event:
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{XXXXX}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><xxx>0</Opcode><Keywords>xxxxx</Keywords><TimeCreated SystemTime='2023-11-27'/><EventRecordID>151284011</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='8768'/><Channel>Security</Channel><Computer>XXX.com</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>xxx\SYSTEM</Data><Data Name='SubjectUserName'>XXX$</Data><Data Name='SubjectDomainName'>EC</Data><Data Name='SubjectLogonId'>xxx</Data><Data Name='NewProcessId'>0x3878</Data><Data Name='NewProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\Patch\tools\TaniumExecWrapper.exe</Data><Data Name='TokenElevationType'>%%xxxx</Data><Data Name='ProcessId'>xxxx</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>xxx</Data><Data Name='ParentProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\TaniumClient.exe</Data><Data Name='MandatoryLabel'>Mandatory Label\System Mandatory Level</Data></EventData></Event>
THANKS
Hi @AL3Z,
let me understand: do you want to filter your logs to send these event to nullqueue or do you want to delete part of these events?
in the first case, you have to follow the instructions at https://docs.splunk.com/Documentation/Splunk/9.1.2/Forwarding/Routeandfilterdatad using this regex
\<Event xmlns\=\'http:\/\/schemas\.microsoft\.com\/win\/\d+\/\d+\/events\/event\'>
if you can share also events to maintain, I could be more sure abut the regex.
Ciao.
Giuseppe
HI @gcusello ,
I want to exclude these events by blacklisting on inputs.conf so that it can be stop ingesting into splunk .........
Hi @AL3Z,
are they windows events?
if yes, you can blacklist them, if not, you cannot blacklist them in inputs.conf.
Then you have to check if the regex I shared is correct or too large, for this reasono I asked to share also events to not discard.
Ciao.
Giuseppe
Yes they're windows events...
Hi @AL3Z,
ok, I'm not sure that the regex I shared is ok for you: you shared events to discard, but I also need events to not discard, could you share them?
Ciao.
Giuseppe
These are the events which I want to exclude
<Data Name='NewProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\Patch\tools\TaniumExecWrapper.exe</Data>
<Data Name='ParentProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\TaniumClient.exe</Data>
<Data Name='NewProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe</Data>
<Data Name='ParentProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Data>
<Data Name='NewProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\Patch\tools\TaniumFileInfo.exe</Data>
<Data Name='ParentProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\Patch\tools\TaniumExecWrapper.exe</Data>
<Data Name='NewProcessName'>C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\10.8560.25364.1036\SenseCnCProxy.exe</Data>
<Data Name='ParentProcessName'>C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\10.8560.25364.1036\MsSense.exe</Data>
Hi @AL3Z,
if you want to discard the four samples you shared in the original question but not the last one, the above regex is correct, as you can check at https://regex101.com/r/x5zuYc/1
Ciao.
Giuseppe
@gcusello ,
Is this regex going to exclude all the windows events starting with this "\<Event xmlns\=\'http:\/\/schemas\.microsoft\.com\/win\/\d+\/\d+\/events\/event\'>" right?
By the way my intention is to exclude all the secutiy tool events specific to eventcode 4688 eg, tanium,splunk ,windows defender etc.,
can we whitelist all the windows events like C:\\ Windows\\*
we need to ingesting all the windows events like eg. cmd.exe,reg.exe etc.,
Thanks..