topic Can I use != in blacklist? in Getting Data In

Can I use != in blacklist?

benbabich — Thu, 12 Oct 2017 19:15:42 GMT

I only want to see cmd.exe and blacklist everything else for EventCode 4688.

blacklist = EventCode="4688" Message="(?:New Process Name:).+(?:cmd.exe)" will remove cmd.exe but 'Message!=' doesn't do the opposite.

Re: Can I use != in blacklist?

richgalloway — Thu, 12 Oct 2017 20:48:40 GMT

Perhaps a whitelist?

whitelist = EventCode="4688" Message="(?:New Process Name:).+(?:cmd.exe)"

Re: Can I use != in blacklist?

benbabich — Fri, 13 Oct 2017 13:18:24 GMT

That does work but I have some inherited blacklists that would have made it easier (for other reasons not shown in the example) to do it in blacklist.

Re: Can I use != in blacklist?

benbabich — Fri, 13 Oct 2017 13:57:28 GMT

I was really trying to do it in Blacklist due to some convoluted but prebuilt blacklists I inherited but I think I'll just have to build it out properly in the whitelist. It really is the best way to do it.