https://community.splunk.com/t5/Splunk-Dev/Trying-to-blacklist-event-code-with-accesses/m-p/334171#M4960 <P>Sorry new to splunk.. what do you mean by paste on sample event?</P> <P>Thanks</P> Thu, 27 Jul 2017 18:09:06 GMT Jordan54 2017-07-27T18:09:06Z https://community.splunk.com/t5/Splunk-Dev/Trying-to-blacklist-event-code-with-accesses/m-p/334165#M4954 <P>Hello.. I am trying to black list a event code with a message and it is not working.. I have my code posted below. Am I missing something? Thanks!</P> <P>blacklist5 = Eventcode="4663" Message="Accesses:ReadData (or ListDirectory)"</P> Wed, 26 Jul 2017 19:51:18 GMT https://community.splunk.com/t5/Splunk-Dev/Trying-to-blacklist-event-code-with-accesses/m-p/334165#M4954 Jordan54 2017-07-26T19:51:18Z https://community.splunk.com/t5/Splunk-Dev/Trying-to-blacklist-event-code-with-accesses/m-p/334166#M4955 <P>try below,</P> <P>[WinEventLog://Security]<BR /> disabled = 0<BR /> evt_resolve_ad_obj = 0<BR /> blacklist1=EventCode="4663" Message=”Accesses:ReadData\s+(or\s+ListDirectory)"</P> Tue, 29 Sep 2020 15:05:13 GMT https://community.splunk.com/t5/Splunk-Dev/Trying-to-blacklist-event-code-with-accesses/m-p/334166#M4955 sbbadri 2020-09-29T15:05:13Z https://community.splunk.com/t5/Splunk-Dev/Trying-to-blacklist-event-code-with-accesses/m-p/334167#M4956 <P>Thanks for the suggestion, but that didn't seem to help. Any other suggestions?</P> Thu, 27 Jul 2017 12:24:43 GMT https://community.splunk.com/t5/Splunk-Dev/Trying-to-blacklist-event-code-with-accesses/m-p/334167#M4956 Jordan54 2017-07-27T12:24:43Z https://community.splunk.com/t5/Splunk-Dev/Trying-to-blacklist-event-code-with-accesses/m-p/334168#M4957 <P>can you paste sample event. Regex for message might be wrong or another one is it won't effect on old events.</P> <P>below is the example given in Splunk_TA_windows,</P> <P>[WinEventLog://Security]<BR /> disabled = 1<BR /> start_from = oldest<BR /> current_only = 0<BR /> evt_resolve_ad_obj = 1<BR /> checkpointInterval = 5<BR /> blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"<BR /> blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"<BR /> index = wineventlog<BR /> renderXml=false</P> Tue, 29 Sep 2020 15:05:34 GMT https://community.splunk.com/t5/Splunk-Dev/Trying-to-blacklist-event-code-with-accesses/m-p/334168#M4957 sbbadri 2020-09-29T15:05:34Z https://community.splunk.com/t5/Splunk-Dev/Trying-to-blacklist-event-code-with-accesses/m-p/334169#M4958 <P>This is what I have.. Thanks again!</P> <P>[WinEventLog://Security]<BR /> disabled = 0<BR /> start_from = oldest<BR /> current_only = 0<BR /> evt_resolve_ad_obj = 1<BR /> checkpointInterval = 5<BR /> blacklist1 = EventCode="4700|4767|4946|4948|4779|4954|4740|4658|4634|5145|4656|4672|5158|4776|5152|5157|4769|4768|4648|4985|4690|4771|4770|4702|4670|4660|4689|4611|5154|4793|5447|5058|5061|5031|4673|5143|4742|1|4647|4723|4738"<BR /> blacklist2 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"<BR /> blacklist3 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"<BR /> blacklist4 = EventCode="4688" Message="New Process Name: (?i)^(C:\Program Files\Splunk(?:UniversalForwarder)?\bin\(?:btool|splunkd|splunk|splunk-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi)).exe)"<BR /> blacklist5=EventCode="4663" Message=”Accesses:ReadData\s+(or\s+ListDirectory)"</P> <P>index = oswinsec<BR /> renderXml=false</P> Tue, 29 Sep 2020 15:05:45 GMT https://community.splunk.com/t5/Splunk-Dev/Trying-to-blacklist-event-code-with-accesses/m-p/334169#M4958 Jordan54 2020-09-29T15:05:45Z https://community.splunk.com/t5/Splunk-Dev/Trying-to-blacklist-event-code-with-accesses/m-p/334170#M4959 <P>can you paste on sample event. I guess Message regex is wrong.</P> Thu, 27 Jul 2017 17:58:48 GMT https://community.splunk.com/t5/Splunk-Dev/Trying-to-blacklist-event-code-with-accesses/m-p/334170#M4959 sbbadri 2017-07-27T17:58:48Z https://community.splunk.com/t5/Splunk-Dev/Trying-to-blacklist-event-code-with-accesses/m-p/334171#M4960 <P>Sorry new to splunk.. what do you mean by paste on sample event?</P> <P>Thanks</P> Thu, 27 Jul 2017 18:09:06 GMT https://community.splunk.com/t5/Splunk-Dev/Trying-to-blacklist-event-code-with-accesses/m-p/334171#M4960 Jordan54 2017-07-27T18:09:06Z https://community.splunk.com/t5/Splunk-Dev/Trying-to-blacklist-event-code-with-accesses/m-p/334172#M4961 <P>Please execute below query on your search head</P> <P>index=oswinsec EventCode=4663 | head 1. </P> <P>It will produce one result. Copy output result and paste in comment.</P> Thu, 27 Jul 2017 18:14:42 GMT https://community.splunk.com/t5/Splunk-Dev/Trying-to-blacklist-event-code-with-accesses/m-p/334172#M4961 sbbadri 2017-07-27T18:14:42Z https://community.splunk.com/t5/Splunk-Dev/Trying-to-blacklist-event-code-with-accesses/m-p/334173#M4962 <P>2:27:01.000 PM<BR /><BR /> 07/27/2017 02:27:01 PM<BR /> LogName=Security<BR /> SourceName=Microsoft Windows security auditing.<BR /> EventCode=4663<BR /> EventType=0<BR /> Type=Information<BR /> ComputerName=<BR /> TaskCategory=Removable Storage<BR /> OpCode=Info<BR /> RecordNumber=473041460<BR /> Keywords=Audit Success<BR /> Message=An attempt was made to access an object.</P> <P>Subject:<BR /> Security ID: S-1-5-18<BR /> Account Name:<BR /><BR /> Account Domain:<BR /><BR /> Logon ID: </P> <P>Object:<BR /> Object Server: Security<BR /> Object Type: File<BR /> Object Name: D:\Program Files\<BR /> Handle ID: 0x204<BR /> Resource Attributes:<BR /> Process Information:<BR /> Process ID: 0x51c<BR /> Process Name: D:\Program Files </P> <P>Access Request Information:<BR /> Accesses: ReadData (or ListDirectory)</P> <PRE><CODE>Access Mask: 0x1 </CODE></PRE> <P>Collapse<BR /> EventCode = 4663 host = index = oswinsec source = WinEventLog:Security sourcetype = WinEventLog:Security</P> <P>Thanks</P> Thu, 27 Jul 2017 18:29:37 GMT https://community.splunk.com/t5/Splunk-Dev/Trying-to-blacklist-event-code-with-accesses/m-p/334173#M4962 Jordan54 2017-07-27T18:29:37Z https://community.splunk.com/t5/Splunk-Dev/Trying-to-blacklist-event-code-with-accesses/m-p/334174#M4963 <P>blacklist5=EventCode="4663" Message="An attempt was made to access an object."<BR /> or<BR /> Assuming that Accesses field has been extracted <BR /> blacklist5=EventCode="4663" Accesses="ReadData\s(or\sListDirectory)"</P> Thu, 27 Jul 2017 18:40:13 GMT https://community.splunk.com/t5/Splunk-Dev/Trying-to-blacklist-event-code-with-accesses/m-p/334174#M4963 sbbadri 2017-07-27T18:40:13Z https://community.splunk.com/t5/Splunk-Dev/Trying-to-blacklist-event-code-with-accesses/m-p/334175#M4964 <P>That worked! Thanks</P> Fri, 28 Jul 2017 15:07:20 GMT https://community.splunk.com/t5/Splunk-Dev/Trying-to-blacklist-event-code-with-accesses/m-p/334175#M4964 Jordan54 2017-07-28T15:07:20Z https://community.splunk.com/t5/Splunk-Dev/Trying-to-blacklist-event-code-with-accesses/m-p/334176#M4965 <P>cool. Glad it worked, Please vote or accept the answer</P> Fri, 28 Jul 2017 15:09:48 GMT https://community.splunk.com/t5/Splunk-Dev/Trying-to-blacklist-event-code-with-accesses/m-p/334176#M4965 sbbadri 2017-07-28T15:09:48Z