Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

[Windows] Blacklisting Event 4656 for system accounts only

Rhin0Crash
Path Finder
‎05-09-2018 06:23 AM

Good morning everyone, having a bit of a tough time with this, as my blacklists and whitelists aren't working properly. Windows Event 4656 is noisy, and I'm looking to ingest ONLY the events tied to a peron's account, and not the system account. Within Windows, the system account name is denoted by a literal "$" appended to the system name (i.e. COMPUTER$). I've tried various forms of regex within a blacklist, and tried a negative whitelist (i.e. accept all 4656 (?!Account Name:\s+\w+\$)). I've also noticed that if I activate the negative whitelist, the regex also blocks events from EventCode 4670 from showing up.

Splunk Enterprise 7.0.2
Splunk Forwarder 7.0.2

05/08/2018 04:16:49 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4656
EventType=0
Type=Information
ComputerName=computer.domain.com
TaskCategory=Removable Storage
OpCode=Info
RecordNumber=91946348
Keywords=Audit Success
Message=A handle to an object was requested.

Subject:
    Security ID:        NT AUTHORITY\SYSTEM
    Account Name:       COMPUTER$
    Account Domain:     DOMAIN
    Logon ID:       0x3E7

Object:
    Object Server:      Security
    Object Type:        File
    Object Name:        C:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\application
    Handle ID:      0x290
    Resource Attributes:    -

Process Information:
    Process ID:     0x4adc
    Process Name:       C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe

Access Request Information:
    Transaction ID:     {00000000-0000-0000-0000-000000000000}
    Accesses:       READ_CONTROL
                SYNCHRONIZE
                WriteData (or AddFile)
                AppendData (or AddSubdirectory or CreatePipeInstance)
                WriteEA
                ReadAttributes
                WriteAttributes

    Access Reasons:     READ_CONTROL:   Granted by Ownership
                SYNCHRONIZE:    Granted by  D:(A;;FA;;;SY)
                WriteData (or AddFile): Granted by  D:(A;;FA;;;SY)
                AppendData (or AddSubdirectory or CreatePipeInstance):  Granted by  D:(A;;FA;;;SY)
                WriteEA:    Granted by  D:(A;;FA;;;SY)
                ReadAttributes: Granted by  D:(A;;FA;;;SY)
                WriteAttributes:    Granted by  D:(A;;FA;;;SY)

    Access Mask:        0x120196
    Privileges Used for Access Check:   -
    Restricted SID Count:   0

Regex used and currently Working for Similar Events (4663,4670):

blacklist2 = EventCode="(4663|4670)" Message="Account Name:\W+\w+\$"
blacklist3 = EventCode="(5447)" Message="Account Name:\s+\S+LOCAL SERVICE"

Regex attempted and currently failing for event 4656

blacklist4 = EventCode="(4656)" Message="Account Name:\W+\w+\$"
#Results in all 4656 being blacklisted, not just the COMPUTER$ account events
whitelist1 = EventCode="(4656)" Message="Account Name:(?!\W+\w+\$)"
#Results in 4656 being filtered, and 4670, and 4663 not showing up.

Confirmed both 4656 blacklist and whitelist regex pull proper events while in SPL search by using | regex Message=

Where do I go from here?

0 Karma
Reply

FrankVl
Ultra Champion
‎05-10-2018 01:18 AM

The behaviour described doesn't make much sense, so I'm wondering if you maybe have some config lingering around from an earlier attempt or so that messes up the results?

Can you try running btool on the respective forwarder to see what input config is getting applied?

./splunk btool inputs list --debug

And just to be sure: you don't have any props and transforms config that is also doing some filtering/routing that could affect this?

0 Karma
Reply

Rhin0Crash
Path Finder
‎05-09-2018 07:03 AM

I'm realizing now that the whitelist approach won't be the way to go.

Events with the same regex working, but 4656 still failing:

blacklist2 = EventCode="(4656|4670|4663|4703|4658)" Message="Account Name:(\W+\w+\$)"
#results in 4670,4663,4658 coming through with no COMPUTER$ events, but 4656 still doesn't show up
0 Karma
Reply

FrankVl
Ultra Champion
‎05-09-2018 07:10 AM

For completeness sake, can you share an example of a 4656 event without a $ that should come through?

Really weird that it works for other events, but not for this one...

0 Karma
Reply

Rhin0Crash
Path Finder
‎05-09-2018 07:13 AM

Added below

0 Karma
Reply

Rhin0Crash
Path Finder
‎05-09-2018 07:20 AM 
05/08/2018 04:16:50 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4656
EventType=0
Type=Information
ComputerName=computer.domain.com
TaskCategory=Removable Storage
OpCode=Info
RecordNumber=91946924
Keywords=Audit Success
Message=A handle to an object was requested.

Subject:
    Security ID:        DOMAIN\t-rex
    Account Name:       t-rex
    Account Domain:     DOMAIN
    Logon ID:       0x93270A40

Object:
    Object Server:      Security
    Object Type:        File
    Object Name:        C:\Program Files\SplunkUniversalForwarder\etc\apps
    Handle ID:      0x1f4
    Resource Attributes:    -

Process Information:
    Process ID:     0x50d4
    Process Name:       C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe

Access Request Information:
    Transaction ID:     {00000000-0000-0000-0000-000000000000}
    Accesses:       READ_CONTROL
                SYNCHRONIZE
                ReadData (or ListDirectory)

    Access Reasons:     READ_CONTROL:   Granted by  D:(A;;FA;;;BA)
                SYNCHRONIZE:    Granted by  D:(A;;FA;;;BA)
                ReadData (or ListDirectory):    Granted by  D:(A;;FA;;;BA)

    Access Mask:        0x120001
    Privileges Used for Access Check:   -
    Restricted SID Count:   0
0 Karma
Reply

alastor
Path Finder
‎06-06-2019 06:04 AM

You may have figured this out already, but the blacklist you are using is looking for a match in the Message for Account Name, but in this event you've posted that doesn't show up.

You might want to filter out Splunk processes logging events so you could add a new copy of the blacklist line but change the
Message="Account Name:(\W+\w+\$)"
to
Message="%SplunkUniversalForwarder%"

That might work.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...