Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need an xml regex to exclude these events

AL3Z
Builder
‎11-27-2023 06:19 AM

Hi,

Is there someone here who can create an XML regular expression for these events to prevent them from being ingested into Splunk?

1. Sample Event:

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{XXXXX}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><xxx>0</Opcode><Keywords>xxxxx</Keywords><TimeCreated SystemTime='2023-11-27'/><EventRecordID>151284011</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='8768'/><Channel>Security</Channel><Computer>XXX.com</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>xxx\SYSTEM</Data><Data Name='SubjectUserName'>XXX$</Data><Data Name='SubjectDomainName'>EC</Data><Data Name='SubjectLogonId'>xxx</Data><Data Name='NewProcessId'>0x3878</Data><Data Name='NewProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\Patch\tools\TaniumExecWrapper.exe</Data><Data Name='TokenElevationType'>%%xxxx</Data><Data Name='ProcessId'>xxxx</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>xxx</Data><Data Name='ParentProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\TaniumClient.exe</Data><Data Name='MandatoryLabel'>Mandatory Label\System Mandatory Level</Data></EventData></Event>

THANKS

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-27-2023 06:45 AM

Hi @AL3Z,

let me understand: do you want to filter your logs to send these event to nullqueue or do you want to delete part of these events?

in the first case, you have to follow the instructions at https://docs.splunk.com/Documentation/Splunk/9.1.2/Forwarding/Routeandfilterdatad using this regex

\<Event xmlns\=\'http:\/\/schemas\.microsoft\.com\/win\/\d+\/\d+\/events\/event\'>

if you can share also events to maintain, I could be more sure abut the regex.

Ciao.

Giuseppe

0 Karma
Reply

AL3Z
Builder
‎11-27-2023 08:19 AM

HI @gcusello ,
I want to exclude these events by blacklisting  on inputs.conf so that it can be stop ingesting into splunk .........

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-27-2023 08:27 AM

Hi @AL3Z,

are they windows events?

if yes, you can blacklist them, if not, you cannot blacklist them in inputs.conf.

Then you have to check if the regex I shared is correct or too large, for this reasono I asked to share also events to not discard.

Ciao.

Giuseppe

0 Karma
Reply

AL3Z
Builder
‎11-27-2023 08:54 AM

@gcusello ,

Yes they're windows events...

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-27-2023 09:03 AM

Hi @AL3Z,

ok, I'm not sure that the regex I shared is ok for you: you shared events to discard, but I also need events to not discard, could you share them?

Ciao.

Giuseppe

0 Karma
Reply

AL3Z
Builder
‎11-27-2023 09:12 AM

@gcusello ,

These are the events which I want to exclude

<Data Name='NewProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\Patch\tools\TaniumExecWrapper.exe</Data>
<Data Name='ParentProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\TaniumClient.exe</Data>
<Data Name='NewProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe</Data>
<Data Name='ParentProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Data>
<Data Name='NewProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\Patch\tools\TaniumFileInfo.exe</Data>
<Data Name='ParentProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\Patch\tools\TaniumExecWrapper.exe</Data>
<Data Name='NewProcessName'>C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\10.8560.25364.1036\SenseCnCProxy.exe</Data>
<Data Name='ParentProcessName'>C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\10.8560.25364.1036\MsSense.exe</Data>

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-27-2023 09:17 AM

Hi @AL3Z,

if you want to discard the four samples you shared in the original question but not the last one, the above regex is correct, as you can check at https://regex101.com/r/x5zuYc/1

Ciao.

Giuseppe

0 Karma
Reply

AL3Z
Builder
‎11-27-2023 09:27 AM

@gcusello ,

Is this regex going to exclude all the windows events starting with this "\<Event xmlns\=\'http:\/\/schemas\.microsoft\.com\/win\/\d+\/\d+\/events\/event\'>"   right?

By the way my intention is to exclude all the secutiy tool events specific to eventcode 4688 eg, tanium,splunk ,windows defender etc.,

can we whitelist all the windows events like C:\\ Windows\\* 
we need to ingesting all the windows events like eg. cmd.exe,reg.exe etc., 

Thanks..




 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-27-2023 09:58 AM

Hi @AL3Z,

both the approaches are correct.

Ciao.

Giuseppe

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...