Good morning everyone, having a bit of a tough time with this, as my blacklists and whitelists aren't working properly. Windows Event 4656 is noisy, and I'm looking to ingest ONLY the events tied to a peron's account, and not the system account. Within Windows, the system account name is denoted by a literal "$" appended to the system name (i.e. COMPUTER$). I've tried various forms of regex within a blacklist, and tried a negative whitelist (i.e. accept all 4656 (?!Account Name:\s+\w+\$)). I've also noticed that if I activate the negative whitelist, the regex also blocks events from EventCode 4670 from showing up.
Splunk Enterprise 7.0.2
Splunk Forwarder 7.0.2
05/08/2018 04:16:49 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4656
EventType=0
Type=Information
ComputerName=computer.domain.com
TaskCategory=Removable Storage
OpCode=Info
RecordNumber=91946348
Keywords=Audit Success
Message=A handle to an object was requested.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: COMPUTER$
Account Domain: DOMAIN
Logon ID: 0x3E7
Object:
Object Server: Security
Object Type: File
Object Name: C:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\application
Handle ID: 0x290
Resource Attributes: -
Process Information:
Process ID: 0x4adc
Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe
Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: READ_CONTROL
SYNCHRONIZE
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
WriteEA
ReadAttributes
WriteAttributes
Access Reasons: READ_CONTROL: Granted by Ownership
SYNCHRONIZE: Granted by D:(A;;FA;;;SY)
WriteData (or AddFile): Granted by D:(A;;FA;;;SY)
AppendData (or AddSubdirectory or CreatePipeInstance): Granted by D:(A;;FA;;;SY)
WriteEA: Granted by D:(A;;FA;;;SY)
ReadAttributes: Granted by D:(A;;FA;;;SY)
WriteAttributes: Granted by D:(A;;FA;;;SY)
Access Mask: 0x120196
Privileges Used for Access Check: -
Restricted SID Count: 0
Regex used and currently Working for Similar Events (4663,4670):
blacklist2 = EventCode="(4663|4670)" Message="Account Name:\W+\w+\$"
blacklist3 = EventCode="(5447)" Message="Account Name:\s+\S+LOCAL SERVICE"
Regex attempted and currently failing for event 4656
blacklist4 = EventCode="(4656)" Message="Account Name:\W+\w+\$"
#Results in all 4656 being blacklisted, not just the COMPUTER$ account events
whitelist1 = EventCode="(4656)" Message="Account Name:(?!\W+\w+\$)"
#Results in 4656 being filtered, and 4670, and 4663 not showing up.
Confirmed both 4656 blacklist and whitelist regex pull proper events while in SPL search by using | regex Message=
Where do I go from here?
The behaviour described doesn't make much sense, so I'm wondering if you maybe have some config lingering around from an earlier attempt or so that messes up the results?
Can you try running btool on the respective forwarder to see what input config is getting applied?
./splunk btool inputs list --debug
And just to be sure: you don't have any props and transforms config that is also doing some filtering/routing that could affect this?
I'm realizing now that the whitelist approach won't be the way to go.
Events with the same regex working, but 4656 still failing:
blacklist2 = EventCode="(4656|4670|4663|4703|4658)" Message="Account Name:(\W+\w+\$)"
#results in 4670,4663,4658 coming through with no COMPUTER$ events, but 4656 still doesn't show up
For completeness sake, can you share an example of a 4656 event without a $ that should come through?
Really weird that it works for other events, but not for this one...
Added below
05/08/2018 04:16:50 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4656
EventType=0
Type=Information
ComputerName=computer.domain.com
TaskCategory=Removable Storage
OpCode=Info
RecordNumber=91946924
Keywords=Audit Success
Message=A handle to an object was requested.
Subject:
Security ID: DOMAIN\t-rex
Account Name: t-rex
Account Domain: DOMAIN
Logon ID: 0x93270A40
Object:
Object Server: Security
Object Type: File
Object Name: C:\Program Files\SplunkUniversalForwarder\etc\apps
Handle ID: 0x1f4
Resource Attributes: -
Process Information:
Process ID: 0x50d4
Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
Access Reasons: READ_CONTROL: Granted by D:(A;;FA;;;BA)
SYNCHRONIZE: Granted by D:(A;;FA;;;BA)
ReadData (or ListDirectory): Granted by D:(A;;FA;;;BA)
Access Mask: 0x120001
Privileges Used for Access Check: -
Restricted SID Count: 0
You may have figured this out already, but the blacklist you are using is looking for a match in the Message for Account Name, but in this event you've posted that doesn't show up.
You might want to filter out Splunk processes logging events so you could add a new copy of the blacklist line but change the
Message="Account Name:(\W+\w+\$)"
to
Message="%SplunkUniversalForwarder%"
That might work.