<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Best way to Filter Windows Events before Indexing? in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Best-way-to-Filter-Windows-Events-before-Indexing/m-p/293104#M55808</link>
    <description>&lt;P&gt;I can't answer whether there is a need for them, but others do filter out these computer accounts:&lt;BR /&gt;
&lt;A href="https://answers.splunk.com/answers/303882/unable-to-blacklist-windows-events-with-regex-on-u.html"&gt;https://answers.splunk.com/answers/303882/unable-to-blacklist-windows-events-with-regex-on-u.html&lt;/A&gt;&lt;/P&gt;</description>
    <pubDate>Fri, 30 Jun 2017 22:16:35 GMT</pubDate>
    <dc:creator>maciep</dc:creator>
    <dc:date>2017-06-30T22:16:35Z</dc:date>
    <item>
      <title>Best way to Filter Windows Events before Indexing?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Best-way-to-Filter-Windows-Events-before-Indexing/m-p/293103#M55807</link>
      <description>&lt;P&gt;Hi&lt;/P&gt;

&lt;P&gt;We're seeing may Events with EventCode 4624 and 4634 with Account_Name ending with $ sign. Is there any value for it in Security logs OR we can filter them Out?&lt;/P&gt;</description>
      <pubDate>Fri, 30 Jun 2017 18:14:52 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Best-way-to-Filter-Windows-Events-before-Indexing/m-p/293103#M55807</guid>
      <dc:creator>kiran331</dc:creator>
      <dc:date>2017-06-30T18:14:52Z</dc:date>
    </item>
    <item>
      <title>Re: Best way to Filter Windows Events before Indexing?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Best-way-to-Filter-Windows-Events-before-Indexing/m-p/293104#M55808</link>
      <description>&lt;P&gt;I can't answer whether there is a need for them, but others do filter out these computer accounts:&lt;BR /&gt;
&lt;A href="https://answers.splunk.com/answers/303882/unable-to-blacklist-windows-events-with-regex-on-u.html"&gt;https://answers.splunk.com/answers/303882/unable-to-blacklist-windows-events-with-regex-on-u.html&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Fri, 30 Jun 2017 22:16:35 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Best-way-to-Filter-Windows-Events-before-Indexing/m-p/293104#M55808</guid>
      <dc:creator>maciep</dc:creator>
      <dc:date>2017-06-30T22:16:35Z</dc:date>
    </item>
    <item>
      <title>Re: Best way to Filter Windows Events before Indexing?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Best-way-to-Filter-Windows-Events-before-Indexing/m-p/293105#M55809</link>
      <description>&lt;P&gt;Account names ending with a $ are usually reloated to computer identities&lt;BR /&gt;
&lt;A href="https://msdn.microsoft.com/en-us/library/cc246064.aspx"&gt;https://msdn.microsoft.com/en-us/library/cc246064.aspx&lt;/A&gt;&lt;/P&gt;

&lt;P&gt;From a security perspective, it is very important to keep related events along with standard user activity as there are many ways to act as the computer system once it has been compromised (psexec, etc.) If you filter those events, you will be partially blind when monitoring possible attacks.&lt;/P&gt;</description>
      <pubDate>Sat, 01 Jul 2017 02:59:08 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Best-way-to-Filter-Windows-Events-before-Indexing/m-p/293105#M55809</guid>
      <dc:creator>sylbaea</dc:creator>
      <dc:date>2017-07-01T02:59:08Z</dc:date>
    </item>
  </channel>
</rss>

