https://community.splunk.com/t5/Splunk-Search/blacklisting-event-code-4679-TaskCategory-Kerberos-Service/m-p/672353#M230308 <P>Hello,<BR /><BR />I am trying to blacklist winevent code 4679 by&nbsp; &nbsp;TaskCategory=Kerberos Service Ticket Operations.&nbsp;<BR /><BR />This regex is not working.&nbsp;<BR /><BR />blacklist7 = EventCode="4769" TaskCategory="\w+\s\w+\s\w+\s\w+"<BR /><BR />Ive also tried&nbsp;<BR /><BR />blacklist7 = EventCode="4769" TaskCategory="Kerberos Service Ticket Operations"<BR /><BR /></P> Wed, 20 Dec 2023 00:46:27 GMT nyajoefit22 2023-12-20T00:46:27Z https://community.splunk.com/t5/Splunk-Search/blacklisting-event-code-4679-TaskCategory-Kerberos-Service/m-p/672353#M230308 <P>Hello,<BR /><BR />I am trying to blacklist winevent code 4679 by&nbsp; &nbsp;TaskCategory=Kerberos Service Ticket Operations.&nbsp;<BR /><BR />This regex is not working.&nbsp;<BR /><BR />blacklist7 = EventCode="4769" TaskCategory="\w+\s\w+\s\w+\s\w+"<BR /><BR />Ive also tried&nbsp;<BR /><BR />blacklist7 = EventCode="4769" TaskCategory="Kerberos Service Ticket Operations"<BR /><BR /></P> Wed, 20 Dec 2023 00:46:27 GMT https://community.splunk.com/t5/Splunk-Search/blacklisting-event-code-4679-TaskCategory-Kerberos-Service/m-p/672353#M230308 nyajoefit22 2023-12-20T00:46:27Z https://community.splunk.com/t5/Splunk-Search/blacklisting-event-code-4679-TaskCategory-Kerberos-Service/m-p/672368#M230312 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/263462">@nyajoefit22</a>,</P><P>you shoud try to use a regex not only for the&nbsp;<SPAN>TaskCategory field but for al the rule, something like this:</SPAN></P><P>&nbsp;</P><LI-CODE lang="markup">blacklist7 = EventCode\s*\=\s*4769.*TaskCategory\=\w+\s\w+\s\w+\s\w+</LI-CODE><P>&nbsp;</P><P><SPAN>I could be more detailed if you can share a sample of your logs.</SPAN></P><P><SPAN>You can find many answer to this question in Community.</SPAN></P><P><SPAN>Ciao.</SPAN></P><P><SPAN>Giuseppe</SPAN></P> Wed, 20 Dec 2023 07:36:54 GMT https://community.splunk.com/t5/Splunk-Search/blacklisting-event-code-4679-TaskCategory-Kerberos-Service/m-p/672368#M230312 gcusello 2023-12-20T07:36:54Z https://community.splunk.com/t5/Splunk-Search/blacklisting-event-code-4679-TaskCategory-Kerberos-Service/m-p/672413#M230317 <P>This is the log. According to the splunk blacklisting documentation ., event codes do not have to be in regex format.&nbsp;</P> <P><BR /><BR /></P> <LI-CODE lang="markup">LogName=Security EventCode=4769 EventType=0 SourceName=Microsoft-Windows-Security-Auditing Type=Information RecordNumber=642560180 Keywords=Audit Success TaskCategory=Kerberos Service Ticket Operations OpCode=Info Message=A Kerberos service ticket was requested.</LI-CODE> <P>&nbsp;</P> Wed, 20 Dec 2023 16:03:42 GMT https://community.splunk.com/t5/Splunk-Search/blacklisting-event-code-4679-TaskCategory-Kerberos-Service/m-p/672413#M230317 Bo3432 2023-12-20T16:03:42Z https://community.splunk.com/t5/Splunk-Search/blacklisting-event-code-4679-TaskCategory-Kerberos-Service/m-p/672415#M230319 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/248673">@Bo3432</a>&nbsp;,</P><P>as you can read at&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/9.1.2/Admin/Inputsconf" target="_blank">https://docs.splunk.com/Documentation/Splunk/9.1.2/Admin/Inputsconf</A>&nbsp;blacklist requires a regex:</P><LI-CODE lang="markup">blacklist = &lt;regular expression&gt;</LI-CODE><P>but also:</P><LI-CODE lang="markup">blacklist = &lt;comma-separated list&gt; | key=regex [key=regex]</LI-CODE><P>so I prefer to use a full regex containing both the keywors.</P><P>In your case, you have a multiline log, so you have to add "(?ms)" to the beginning of the regex:</P><LI-CODE lang="markup">(?ms)EventCode\=4769.*TaskCategory\=\w+\s\w+\s\w+\s\w+</LI-CODE><P>that you can test at&nbsp;<A href="https://regex101.com/r/ToPGX2/1" target="_blank">https://regex101.com/r/ToPGX2/1</A></P><P>Ciao.</P><P>Giuseppe</P> Wed, 20 Dec 2023 15:28:57 GMT https://community.splunk.com/t5/Splunk-Search/blacklisting-event-code-4679-TaskCategory-Kerberos-Service/m-p/672415#M230319 gcusello 2023-12-20T15:28:57Z