Hi! im trying to blacklist events with code 4672 and with SubjectUserSid DOMAIN\SRV-XXX-AAA-99$ 

ive tried this line:

blacklist2 = $XmlRegex="<EventID>4672<\/EventID>.*<Data Name='SubjectUserSid'>DOMAIN\\SRV\-XXX\-AAA\-99\$"

but it isnt working.

Example:

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4672</EventID><Version>0</Version><Level>0</Level><Task>12548</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2021-02-11T15:18:48.860247900Z'/><EventRecordID>350156866</EventRecordID><Correlation ActivityID='{af83069e-fb2f-000b-110a-83af2ffbd601}'/><Execution ProcessID='188' ThreadID='41464'/><Channel>Security</Channel><Computer>srv-xxx-aaa--99.DOMAIN.LOCAL</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>DOMAIN\SRV-XXX-AAA-99$</Data><Data Name='SubjectUserName'>SRV-XXX-AAA-99$</Data><Data Name='SubjectDomainName'>DOMAIN</Data><Data Name='SubjectLogonId'>0x88feea93</Data><Data Name='PrivilegeList'>SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege</Data></EventData></Event>

i've test this on regex101, has a match but in splunk isn't working.

any suggestion will be appreciated.