Splunk Search

How do I edit the regex for my Windows Security 4656 blacklist?

JDukeSplunk
Builder

I am beaten.. I cannot get this blacklist regex to work.
We have a Windows host producing a ton of 4656 errors all for "Desktop.ini". I know the cause, (bad NTFS setup) but the server team is in no hurry to fix it, and 50+ GB of license a day is being eaten by these.

Seems the blacklist I put in place filters all 4656's.

Here is what I have in the Windows_TA stanza. It should be noted that blacklist3 works.

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist3 = EventCode="5156" Message="Application Name:\s+(?!.*splunkd.exe)"
blacklist4 = EventCode="4656" Message="Object Name:\s+.(?!.*desktop.ini)"
index = idx_security
renderXml=false
index = idx_security
renderXml=false

The raw events look like this.

07/19/2016 09:50:47 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4656
EventType=0
Type=Information
ComputerName=host.domain.local
TaskCategory=File System
OpCode=Info
RecordNumber=2060110708
Keywords=Audit Failure
Message=A handle to an object was requested.

Subject:
    Security ID:        DOMAIN\svc_splunk
    Account Name:       svc_splunk
    Account Domain:     DOMAIN
    Logon ID:       0xD2B5B783

Object:
    Object Server:      Security
    Object Type:        File
    ***Object Name:     U:\Users\redacted\desktop.ini***
    Handle ID:      0x0
    Resource Attributes:    -

Process Information:
    Process ID:     0x6dc
    Process Name:       C:\Windows\explorer.exe
0 Karma
1 Solution

gabriel_vasseur
Contributor

I think the (one) problem is the ! in (?!. It basically means you don't want "desktop.ini" to be there. So if it's there, your regex will not match. Try replacing the ! with : like this:

 blacklist4 = EventCode="4656" Message="Object Name:\s+.(?:.*desktop.ini)"

In fact you don't need the (?:) grouping at all. You could just have:

 blacklist4 = EventCode="4656" Message="Object Name:\s+.*desktop.ini"

To make it a bit tighter you could replace the . with the non-space character class \S:

 blacklist4 = EventCode="4656" Message="Object Name:\s+\S*desktop.ini"

Also you technically should escape the . in desktop.ini since that means a real dot:

 blacklist4 = EventCode="4656" Message="Object Name:\s+\S*desktop\.ini"

To try things out a good approach is to open a search and starts with something simple like:

index=whatever sourcetype=whatever EventCode=4656 | regex Message="desktop.ini"

(update the index and sourcetype as relevant) That should return at least the events you want to exclude. If that works for you, use that for your blacklist. If you are worried this is too generic, you can then build up the regex to something a little more restrictive, step by step, taking a step back whenever it stops matching, until you have something that works and that you believe is restrictive enough to match only the things you want to match. Once you're there, you can update your blacklist and hopefully it should work.

I hope that helps.

View solution in original post

gabriel_vasseur
Contributor

I think the (one) problem is the ! in (?!. It basically means you don't want "desktop.ini" to be there. So if it's there, your regex will not match. Try replacing the ! with : like this:

 blacklist4 = EventCode="4656" Message="Object Name:\s+.(?:.*desktop.ini)"

In fact you don't need the (?:) grouping at all. You could just have:

 blacklist4 = EventCode="4656" Message="Object Name:\s+.*desktop.ini"

To make it a bit tighter you could replace the . with the non-space character class \S:

 blacklist4 = EventCode="4656" Message="Object Name:\s+\S*desktop.ini"

Also you technically should escape the . in desktop.ini since that means a real dot:

 blacklist4 = EventCode="4656" Message="Object Name:\s+\S*desktop\.ini"

To try things out a good approach is to open a search and starts with something simple like:

index=whatever sourcetype=whatever EventCode=4656 | regex Message="desktop.ini"

(update the index and sourcetype as relevant) That should return at least the events you want to exclude. If that works for you, use that for your blacklist. If you are worried this is too generic, you can then build up the regex to something a little more restrictive, step by step, taking a step back whenever it stops matching, until you have something that works and that you believe is restrictive enough to match only the things you want to match. Once you're there, you can update your blacklist and hopefully it should work.

I hope that helps.

JDukeSplunk
Builder

Thanks Gabriel,
Simplifacation was the answer.

This one worked.

blacklist4 = EventCode="4656" Message="(d|D)esktop.ini"
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...