- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Need an xml regex to exclude these events
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Need an xml regex to exclude these events
Hi,
Is there someone here who can create an XML regular expression for these events to prevent them from being ingested into Splunk?
1. Sample Event:
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{XXXXX}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><xxx>0</Opcode><Keywords>xxxxx</Keywords><TimeCreated SystemTime='2023-11-27'/><EventRecordID>151284011</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='8768'/><Channel>Security</Channel><Computer>XXX.com</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>xxx\SYSTEM</Data><Data Name='SubjectUserName'>XXX$</Data><Data Name='SubjectDomainName'>EC</Data><Data Name='SubjectLogonId'>xxx</Data><Data Name='NewProcessId'>0x3878</Data><Data Name='NewProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\Patch\tools\TaniumExecWrapper.exe</Data><Data Name='TokenElevationType'>%%xxxx</Data><Data Name='ProcessId'>xxxx</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>xxx</Data><Data Name='ParentProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\TaniumClient.exe</Data><Data Name='MandatoryLabel'>Mandatory Label\System Mandatory Level</Data></EventData></Event>
THANKS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @AL3Z,
let me understand: do you want to filter your logs to send these event to nullqueue or do you want to delete part of these events?
in the first case, you have to follow the instructions at https://docs.splunk.com/Documentation/Splunk/9.1.2/Forwarding/Routeandfilterdatad using this regex
\<Event xmlns\=\'http:\/\/schemas\.microsoft\.com\/win\/\d+\/\d+\/events\/event\'>if you can share also events to maintain, I could be more sure abut the regex.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI @gcusello ,
I want to exclude these events by blacklisting on inputs.conf so that it can be stop ingesting into splunk .........
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @AL3Z,
are they windows events?
if yes, you can blacklist them, if not, you cannot blacklist them in inputs.conf.
Then you have to check if the regex I shared is correct or too large, for this reasono I asked to share also events to not discard.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes they're windows events...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @AL3Z,
ok, I'm not sure that the regex I shared is ok for you: you shared events to discard, but I also need events to not discard, could you share them?
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
These are the events which I want to exclude
<Data Name='NewProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\Patch\tools\TaniumExecWrapper.exe</Data>
<Data Name='ParentProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\TaniumClient.exe</Data>
<Data Name='NewProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe</Data>
<Data Name='ParentProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Data>
<Data Name='NewProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\Patch\tools\TaniumFileInfo.exe</Data>
<Data Name='ParentProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\Patch\tools\TaniumExecWrapper.exe</Data>
<Data Name='NewProcessName'>C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\10.8560.25364.1036\SenseCnCProxy.exe</Data>
<Data Name='ParentProcessName'>C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\10.8560.25364.1036\MsSense.exe</Data>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @AL3Z,
if you want to discard the four samples you shared in the original question but not the last one, the above regex is correct, as you can check at https://regex101.com/r/x5zuYc/1
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@gcusello ,
Is this regex going to exclude all the windows events starting with this "\<Event xmlns\=\'http:\/\/schemas\.microsoft\.com\/win\/\d+\/\d+\/events\/event\'>" right?
By the way my intention is to exclude all the secutiy tool events specific to eventcode 4688 eg, tanium,splunk ,windows defender etc.,
can we whitelist all the windows events like C:\\ Windows\\*
we need to ingesting all the windows events like eg. cmd.exe,reg.exe etc.,
Thanks..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Index This | I’m short for "configuration file.” What am I?
New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...
Your Guide to SPL2 at .conf24!
