Getting Data In

How to create inputs.conf blacklist with BOOLEAN

arsalanj
Path Finder

Hi there,

I want to create a blacklist in the universal forwarder or in my heavy forwarder with the following conditions:

1)EventCode=4688
2)splunk*.exe

so I want the regex to be something like EventCode=4688 AND splunk*.
I tried many different combinations like this one:

(?:.*\n){1,}EventCode=4688(?:.*\n){1,}.*splunk-.*\.exe(?:.*\n){1,}(?:.*\n)

The above regex matches the event but it's not working in the transforms.conf or inputs.conf.

This is how the event looks like:

##########
10/03/2019 03:33:01 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=Win1-New
TaskCategory=Process Creation
OpCode=Info
RecordNumber=2926293
Keywords=Audit Success
Message=A new process has been created.

Subject:
Security ID: S-1-1-12
Account Name: WIN$1
Account Domain: LOCALGROUP
Logon ID: 0x3e7

Process Information:
New Process ID: 0x143c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: TokenElevationTypeDefault (1)
Creator Process ID: 0x1504
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.

Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.

Any ideas how should I proceed?

Thanks.

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Blacklists for Windows events are not free-form regex. You can use a list of event codes, which won't work for you, or a number key=regex pairs. The latter probably is what you want. Pairs are automatically ANDed. Unfortunately, the key portion of the blacklist is limited to certain fields and Process_Command_Line is not one of them.

See https://docs.splunk.com/Documentation/Splunk/7.3.2/Admin/Inputsconf#Event_Log_whitelist_and_blacklis...

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Blacklists for Windows events are not free-form regex. You can use a list of event codes, which won't work for you, or a number key=regex pairs. The latter probably is what you want. Pairs are automatically ANDed. Unfortunately, the key portion of the blacklist is limited to certain fields and Process_Command_Line is not one of them.

See https://docs.splunk.com/Documentation/Splunk/7.3.2/Admin/Inputsconf#Event_Log_whitelist_and_blacklis...

---
If this reply helps you, Karma would be appreciated.

arsalanj
Path Finder

Appreciate your response @richgalloway

I thought it deals with the raw data.
I see that it only works on Category, CategoryString, ComputerName, EventCode, EventType, Keywords,
LogName, Message, OpCode, RecordNumber, Sid, SidType, SourceName,
TaskCategory, Type, User.

The keyword that I wanted to AND with was "splunk-" and I used the Message field.
I could make it work, thanks so much.

Could you please tell me what format should I use if I want to drop them in transforms.conf?
I tried a few regexes that again worked in regex editors but splunk ignored it.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I don't understand the new question. You have it working, right?

---
If this reply helps you, Karma would be appreciated.
0 Karma

arsalanj
Path Finder

Yes, I do. I could make it work by creating a blacklist in inputs.conf

The question was, how can I filter such events in transforms.conf.
How can I AND things in the (REGEX = ) field.
Because my regex matches the multiline logs but Splunk is not dropping them.

props.conf
[source::WinEventLog:Security]
TRANSFORMS-null = drop1

transforms.conf
[drop1]
REGEX = (EventCode=4688)(?:.*\n){1,}(New Process Name:\s+.*splunk-.*exe)
DEST_KEY = queue
FORMAT = nullQueue

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I don't know that.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...