From 0bf5a631fa2cd96e06bf805d9668f9040b83272f Mon Sep 17 00:00:00 2001 From: Chris Long Date: Wed, 12 Aug 2020 23:01:06 -0700 Subject: [PATCH] Filter out Splunk and osqueryd events --- .../splunk_forwarder/wef_inputs.conf | 22 ++++++++++--------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/Vagrant/resources/splunk_forwarder/wef_inputs.conf b/Vagrant/resources/splunk_forwarder/wef_inputs.conf index 0b6c195..81557de 100755 --- a/Vagrant/resources/splunk_forwarder/wef_inputs.conf +++ b/Vagrant/resources/splunk_forwarder/wef_inputs.conf @@ -59,6 +59,8 @@ disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 +blacklist = Message="(?:Process Name:).+(?:C:\\Program Files\\osquery\\osqueryd\\osqueryd.exe)" +blacklist1 = Message="(?:Process Name:).+(?:C:\\Program Files\\SplunkUniversalForwarder\\bin\\)" [WinEventLog://WEC-Code-Integrity] sourcetype = WinEventLog:Security @@ -87,6 +89,16 @@ start_from = oldest current_only = 0 checkpointInterval = 5 +[WinEventLog://WEC2-Object-Manipulation] +sourcetype = WinEventLog:Security +source = WinEventLog:Object-Handle +index=wineventlog +disabled = 0 +start_from = oldest +current_only = 0 +checkpointInterval = 5 +blacklist = Message="(?:Process Name:).+(?:osqueryd.exe)" + [WinEventLog://WEC2-Task-Scheduler] sourcetype = WinEventLog:Task-Scheduler source = WinEventLog:Task-Scheduler @@ -140,7 +152,6 @@ disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 -blacklist1 = EventCode="4798" Message=".+Process Name:.+\\osqueryd\\osqueryd.exe" [WinEventLog://WEC3-Windows-Diagnostics] sourcetype = WinEventLog:System @@ -412,15 +423,6 @@ start_from = oldest current_only = 0 checkpointInterval = 5 -[WinEventLog://WEC2-Object-Manipulation] -sourcetype = WinEventLog:Security -source = WinEventLog:Object-Handle -index=wineventlog -disabled = 0 -start_from = oldest -current_only = 0 -checkpointInterval = 5 - [monitor://c:\pslogs] index = powershell sourcetype = powershell_transcript