How to exclude the service account from the event ...

AL3Z · ‎06-16-2023

Hi,

I'm trying to exclude the service accounts of the users from the below event in splunk ES.

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{549549625-5488-43494-AHGBA-3E353B0328CEDQS0D}'/><EventID>4738</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-06-16T16:08:38.166868000Z'/><EventRecordID>668676978</EventRecordID><Correlation/><Execution ProcessID='656' ThreadID='6132'/><Channel>Security</Channel><Computer>swrfkeou09.am.win.cisco.com</Computer><Security/></System><EventData><Data Name='Dummy'>-</Data><Data Name='TargetUserName'>BP_william_son</Data><Data Name='TargetDomainName'>AM</Data><Data Name='TargetSid'>AM\BP_william_son</Data><Data Name='SubjectUserSid'>EC\EC_OktaGMSER$</Data><Data Name='SubjectUserName'>EC_OktaGMSER$</Data><Data Name='SubjectDomainName'>EC</Data><Data Name='SubjectLogonId'>0x7e3yd92a4</Data><Data Name='PrivilegeList'>-</Data><Data Name='SamAccountName'>-</Data><Data Name='DisplayName'>-</Data><Data Name='UserPrincipalName'>-</Data><Data Name='HomeDirectory'>-</Data><Data Name='HomePath'>-</Data><Data Name='ScriptPath'>-</Data><Data Name='ProfilePath'>-</Data><Data Name='UserWorkstations'>-</Data><Data Name='PasswordLastSet'>%%1794</Data><Data Name='AccountExpires'>-</Data><Data Name='PrimaryGroupId'>-</Data><Data Name='AllowedToDelegateTo'>-</Data><Data Name='OldUacValue'>0x15</Data><Data Name='NewUacValue'>0x10</Data><Data Name='UserAccountControl'>
%%2048
%%2050</Data><Data Name='UserParameters'>-</Data><Data Name='SidHistory'>-</Data><Data Name='LogonHours'>-</Data></EventData></Event>

Thanks

AL3Z · ‎06-19-2023

@gcusello

Here I'm trying to xclude the service account using join,

search:

(index=winevent OR index=winsec source="XmlWinEventLog:*") eventcode=4662 OR eventcode=4738

We have the field OU and processname associated with eventcode=4662
under ou we have a serviceid , we have to exclude this , under process name we have to exclude agent.exe,

Likewise there is other fields present in the eventcode 4738 which are not present in the 4662

How we can use the join and colerate these two datasets ?

Thanks.

gcusello · ‎06-19-2023

Hi @AL3Z,

using join command you never accelerate a search but you always slow it!

Anyway, to exclude results from a correlation search the easiest way is the suppression list I hinted.

Otherwise you can add a filter in the Correlation Search To exclude some resulta, but not a join.

Ciao.

Giuseppe

gcusello · ‎06-17-2023

Hi @AL3Z,

when you have one or more events with users that yu want to exclude from the results, you have to open the dropdown list on the rights of the dashboard and choose the option suppress events, eventually (it isn't mandatory) adding an expiratin date to this suppression rule.

You can also manage your suppression rules modifying them.

You culd also modify the scheduled search that populates the Authentication DataModel excluding these accounts.

Ciao.

Giuseppe

How to exclude the service account from the event of Splunk ES?

SAML

Your Guide to SPL2 at .conf24!

Get ready to show some Splunk Certification swagger at .conf24!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...