topic Re: How to create exception EventID 8004 - imputs.conf? in Security https://community.splunk.com/t5/Security/How-to-create-exception-EventID-8004-imputs-conf/m-p/645398#M17020 <P>Hello,&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/214410">@isoutamo</a>&nbsp;.<BR /><BR />I posted my imputs.conf iabove.</P><P>I appreciate it if you can help me&nbsp;</P><P>&nbsp;</P> Thu, 01 Jun 2023 15:12:19 GMT RenanMarcelino 2023-06-01T15:12:19Z How to create exception EventID 8004 - imputs.conf? https://community.splunk.com/t5/Security/How-to-create-exception-EventID-8004-imputs-conf/m-p/645373#M17017 <P>Hi everyone,</P> <P>I'm trying to create an EventID 8004 exception from the C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe directory. I need to receive in Splunk EventID 8004 but not from RdrCEF.exe . I'm trying to use these blacklists below, but I still get events from this directory. I'm suspicious about the regex, perhaps incorrectly. Some help?<BR /><BR /><STRONG>directory<BR />C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe</STRONG></P> <P><STRONG>regex usage:<BR />blacklist = EventCode = "^8004$" FullFilePath = "C:\\Program\sFiles\s\(x86\)\\Adobe\\Acrobat\sReader\sDC\\Reader\\acrocef\_1\\RdrCEF\.exe"<BR /><BR />blacklist1 = EventCode = "^8004$" Message = "C:\\Program\sFiles\s\(x86\)\\Adobe\\Acrobat\sReader\sDC\\Reader\\acrocef\_1\\RdrCEF\.exe"</STRONG></P> <P><STRONG>in event viwer the trigger is:<BR />%PROGRAMFILES%\ADOBE\ACROBAT READER DC\READER\ACROCEF_1\RDRCEF.EXE</STRONG></P> Thu, 01 Jun 2023 13:56:21 GMT https://community.splunk.com/t5/Security/How-to-create-exception-EventID-8004-imputs-conf/m-p/645373#M17017 RenanMarcelino 2023-06-01T13:56:21Z Re: How to create exception EventID 8004 - imputs.conf? https://community.splunk.com/t5/Security/How-to-create-exception-EventID-8004-imputs-conf/m-p/645378#M17018 <P>Can you post your real inputs.conf inside &lt;/&gt; block?</P> Thu, 01 Jun 2023 14:14:54 GMT https://community.splunk.com/t5/Security/How-to-create-exception-EventID-8004-imputs-conf/m-p/645378#M17018 isoutamo 2023-06-01T14:14:54Z Re: How to create exception EventID 8004 - imputs.conf? https://community.splunk.com/t5/Security/How-to-create-exception-EventID-8004-imputs-conf/m-p/645396#M17019 <LI-CODE lang="markup">[WinEventLog://Microsoft-Windows-AppLocker/EXE and DLL] checkpointInterval = 5 current_only = 0 disabled = 0 index = "our indexer" start_from = oldest renderXml = 1 whitelist = 8000, 8004, 8007, 8008, 8029, 8032, 8035, 8036, 8040 blacklist = EventCode = "^8004$" FullFilePath = "C:\\Program\sFiles\s\(x86\)\\Adobe\\Acrobat\sReader\sDC\\Reader\\acrocef\_1\\RdrCEF\.exe" blacklist1 = EventCode = "^8004$" Message = "C:\\Program\sFiles\s\(x86\)\\Adobe\\Acrobat\sReader\sDC\\Reader\\acrocef\_1\\RdrCEF\.exe" _TCP_ROUTING = "our destiny"</LI-CODE> Thu, 01 Jun 2023 15:09:38 GMT https://community.splunk.com/t5/Security/How-to-create-exception-EventID-8004-imputs-conf/m-p/645396#M17019 RenanMarcelino 2023-06-01T15:09:38Z Re: How to create exception EventID 8004 - imputs.conf? https://community.splunk.com/t5/Security/How-to-create-exception-EventID-8004-imputs-conf/m-p/645398#M17020 <P>Hello,&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/214410">@isoutamo</a>&nbsp;.<BR /><BR />I posted my imputs.conf iabove.</P><P>I appreciate it if you can help me&nbsp;</P><P>&nbsp;</P> Thu, 01 Jun 2023 15:12:19 GMT https://community.splunk.com/t5/Security/How-to-create-exception-EventID-8004-imputs-conf/m-p/645398#M17020 RenanMarcelino 2023-06-01T15:12:19Z Re: How to create exception EventID 8004 - imputs.conf? https://community.splunk.com/t5/Security/How-to-create-exception-EventID-8004-imputs-conf/m-p/645413#M17021 <P>follow the imputs.conf&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/214410">@isoutamo</a>&nbsp;</P><LI-CODE lang="markup">[WinEventLog://Microsoft-Windows-AppLocker/EXE and DLL] checkpointInterval = 5 current_only = 0 disabled = 0 index = "our indexer" start_from = oldest renderXml = 1 whitelist = 8000, 8004, 8007, 8008, 8029, 8032, 8035, 8036, 8040 blacklist = EventCode = "^8004$" FullFilePath = "C:\\Program\sFiles\s\(x86\)\\Adobe\\Acrobat\sReader\sDC\\Reader\\acrocef\_1\\RdrCEF\.exe" blacklist1 = EventCode = "^8004$" Message = "C:\\Program\sFiles\s\(x86\)\\Adobe\\Acrobat\sReader\sDC\\Reader\\acrocef\_1\\RdrCEF\.exe" _TCP_ROUTING = "our destiny"</LI-CODE><P>&nbsp;</P> Thu, 01 Jun 2023 17:27:10 GMT https://community.splunk.com/t5/Security/How-to-create-exception-EventID-8004-imputs-conf/m-p/645413#M17021 RenanMarcelino 2023-06-01T17:27:10Z Re: How to create exception EventID 8004 - imputs.conf? https://community.splunk.com/t5/Security/How-to-create-exception-EventID-8004-imputs-conf/m-p/651481#M17137 <P>I think that your white and black lists are not correct regular expressions. You should try to use something like</P><LI-CODE lang="markup">C:\\\\Program Files \(x86\)\\Adobe\\Acrobat Reader DC\\Reader\\acrocef\_1\\RdrCEF\.exe</LI-CODE><P>as a FullFilePath. A good place to test those is regex101.com.</P> Fri, 21 Jul 2023 12:32:28 GMT https://community.splunk.com/t5/Security/How-to-create-exception-EventID-8004-imputs-conf/m-p/651481#M17137 isoutamo 2023-07-21T12:32:28Z