Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Filter out events Windows before Indexing

jfeitosa_real
Path Finder
‎01-30-2019 09:00 AM

Hi Guys!

How to create a filter to discard Windows logon events (EventID = 4624), but only when the LogonProcessName field is equal to 'NtLmSsp'?

The logs are in XML format.

I've tried several REGEX, but none worked.

Please, who has an idea?

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54645625-5678-4344-A5AA-E3A0356C30D}'/>
<EventID>4624/EventID><Version>2</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2019-01-29T16:09:38.913252400Z'/><EventRecordID>602433466</EventRecordID><Correlation/><Execution ProcessID='612' ThreadID='11820'/><Channel>Security</Channel><Computer>DC01.mydomain.com</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NULL SID</Data><Data Name='SubjectUserName'>-</Data><Data Name='SubjectDomainName'>-</Data><Data Name='SubjectLogonId'>0x0</Data><Data Name='TargetUserSid'>MTI\user01</Data><Data Name='TargetUserName'>user01</Data><Data Name='TargetDomainName'>mydomain</Data><Data Name='TargetLogonId'>0x280731681</Data><Data Name='LogonType'>3</Data><Data Name='LogonProcessName'>NtLmSsp </Data><Data Name='AuthenticationPackageName'>NTLM</Data><Data Name='WorkstationName'>COMP01</Data><Data Name='LogonGuid'>{00000000-0000-0000-0000-000000000000}</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>NTLM V2</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x0</Data><Data Name='ProcessName'>-</Data><Data Name='IpAddress'>-</Data><Data Name='IpPort'>-</Data><Data Name='ImpersonationLevel'>%%1833</Data><Data Name='RestrictedAdminMode'>-</Data><Data Name='TargetOutboundUserName'>-</Data><Data Name='TargetOutboundDomainName'>-</Data><Data Name='VirtualAccount'>%%1843</Data><Data Name='TargetLinkedLogonId'>0x0</Data><Data Name='ElevatedToken'>%%1842</Data></EventData></Event>

props.conf
[XmlWinEventLog]
TRANSFORMS-set=setnull

transforms.conf
[setnull]
REGEX = (?m)(4624<\/EventID>).+(NtLmSsp\s+<\/Data>)
DEST_KEY = queue
FORMAT = nullQueue

  • Other REGEX used unsuccessfully: REGEX = (?m)EventCode\s*=\s*4624.?LogonProcessName\s=\s*NtLmSsp\s REGEX = (?m)LogonProcessName=(NtLmSsp) REGEX = (?m)^EventCode=(4624).+(LogonProcessName=NtLmSsp)

Thank you very much in advance.
[]s

Preview file
1 KB
0 Karma
Reply

jfeitosa_real
Path Finder
‎01-31-2019 02:14 PM

Unfortunately it did not work the regex you passed.

[setnull]
REGEX = \4624<\/EventID>.+\NtLmSsp|\NtLmSsp.+\4624<\/EventID>
DEST_KEY = queue
FORMAT = nullQueue

I tried it another way, but it did not work either.

Thank you!

0 Karma
Reply

jconger
Splunk Employee
Splunk Employee
‎01-30-2019 01:39 PM

I notice in your example event the XML syntax is wrong:

<EventID>4624/EventID>

It should be:

<EventID>4624</EventID>

Correcting that, the following regex seems to work:

\<EventID\>4624\<\/EventID>.+\<Data\s+Name='LogonProcessName'>NtLmSsp|\<Data\s+Name='LogonProcessName'>NtLmSsp.+\<EventID\>4624\<\/EventID>

This accounts for EventID occurring before or after the NtLmSsp LogonProcessName

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...