Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Apps and Add-ons
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- Re: Blacklist EventCode=4688 Not working with rend...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
seanjconnell
Explorer
01-29-2020
04:51 AM
I was previously using the Seckit template for windows collection given to me by professional services and I noticed that the Splunk*.exe regex they are using was not working with the new xml tags as advertised. This is also in docs as a recommended stanza.
[WinEventLog://Security]
renderXml = true
disabled = false
evt_resolve_ad_obj = true
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist3 = EventCode="4688" Message="New Process Name: (?i)(?:[C-F]:\Program Files\Splunk(?:UniversalForwarder)?\bin\(?:btool|splunkd|splunk|splunk-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi)).exe)"
I figured because Message isn't the field that is there anymore so I modified it for the Xml tags and it is still not working
[WinEventLog://Security]
renderXml = true
disabled = false
evt_resolve_ad_obj = true
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist3 = EventID="4688" NewProcessName=((?i)(?:[C-F]:\\Program Files\\(Splunk|SplunkUniversalForwarder)\\bin\\(?:btool|splunk|splunkd|splunk-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi))\.exe)
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
spayneort
Contributor
02-24-2020
08:35 AM
Use the $XmlRegex key instead of Message.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
spayneort
Contributor
02-24-2020
08:35 AM
Use the $XmlRegex key instead of Message.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dstaulcu
Builder
10-29-2020
07:52 AM
Any idea what version of Splunk Universal forwarder introduced the $xmlRegex option?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
seanjconnell
Explorer
09-08-2020
11:43 AM
blacklist3 = $XmlRegex="<EventID>4688<\/EventID>.*<Data Name='NewProcessName'>[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi))\.exe"
gathered from
Get Updates on the Splunk Community!
Building Reliable Asset and Identity Frameworks in Splunk ES
Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...
Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting
For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...
Automatic Discovery Part 3: Practical Use Cases
If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...
