topic Re: Inputs.conf blacklist with a negative regex in Splunk Search

Inputs.conf blacklist with a negative regex

rafadvega — Fri, 31 Jan 2020 12:34:24 GMT

Hello,

I need to create a whitelist with the blacklist. I mean...

I have three blacklist in the windows security input:

[WinEventLog://Security]
disabled=0
index = wineventlog
source = XmlWinEventLog:Security
sourcetype = XmlWinEventLog
...
...
...
blacklist = 4624,4625,2222
blacklist1 = EventCode="4688" $XmlRegex="<Data Name='NewProcessName'>(C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunkd.exe)|(C:\\Program Files\\SplunkUniversalForwarder\\bin\\btool.exe)|(C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk.exe)|(C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe)|(C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-admon.exe)|(C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe)</Data>"
blacklist2 = EventCode="1111" $XmlRegex="<Data Name='CallerProcessName'>C:\\ProgramData\\random\\andom2\\dasdfa.exe</Data>"

I need to add another blacklist like this:

blacklist3 = EventCode="4663" $XmlRegex="<Data Name='ProcessName'>(C:\\Windows\\System32\\Taskmgr.exe)</Data>"

This blacklist remove all 4663 events with the processname Taskmgr.exe (works). But actually, I want to remove all 4663 events except, 4663 events with the process name Taskmgr.exe

I tried to use an expression like this, but it isn't work:

blacklist3 = EventCode="4663" $XmlRegex="<Data Name='ProcessName'>(?!C:\\Windows\\System32\\Taskmgr.exe)</Data>"
blacklist3 = EventCode="4663" $XmlRegex="<Data Name='ProcessName'>?!(C:\\Windows\\System32\\Taskmgr.exe)</Data>"
blacklist3 = EventCode="4663" $XmlRegex="<Data Name='ProcessName'>^((?!C:\\Windows\\System32\\Taskmgr.exe)[\s\S])*$</Data>"

Has it a solution? I can't use a whitelist because I have blacklists.

Thanks a lot!

Re: Inputs.conf blacklist with a negative regex

richgalloway — Fri, 31 Jan 2020 13:41:12 GMT

What makes you think you can't use a whitelist? There is nothing in the documentation that says you can't use both white and black lists.

Re: Inputs.conf blacklist with a negative regex

rafadvega — Fri, 31 Jan 2020 16:31:31 GMT

Thanks for answering. I tried this also:

[WinEventLog://Security]
disabled=0
index = wineventlog
source = XmlWinEventLog:Security
sourcetype = XmlWinEventLog
...
...
...
whitelist= EventCode="4663" $XmlRegex="(C:\Windows\System32\Taskmgr.exe)"
blacklist = 4624,4625,2222
blacklist1 = EventCode="4688" $XmlRegex="(C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe)|(C:\Program Files\SplunkUniversalForwarder\bin\btool.exe)|(C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe)|(C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe)|(C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe)|(C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe)"
blacklist2 = EventCode="1111" $XmlRegex="C:\ProgramData\random\andom2\dasdfa.exe"

But it isn't work. When I add the whitelist, all security events are filtered...

Re: Inputs.conf blacklist with a negative regex

xavierashe — Mon, 09 Mar 2020 15:32:43 GMT

Try this regex:

<Data Name='ProcessName'>((?!C:\\Windows\\System32\\Taskmgr.exe).)*$

Re: Inputs.conf blacklist with a negative regex

vansicklj — Tue, 01 Jun 2021 17:54:27 GMT

I got your regex to match by swapping "?!" for "!?", adding a delimiter to ".exe", and removing a pair of parentheses:

<Data Name='ProcessName'>(!?(C:\\Windows\\System32\\Taskmgr\.exe)).*$

See https://regex101.com/r/vGIN1P/1