Blacklist Windows Event ID 4769

Yadukrishnan · ‎01-16-2024

Hi,

I am trying to blacklist Windows Event ID 4769 from a particular User ID. Is this possible to be implemented.

I already added the following Blacklist but it didnt seem to work.

blacklist = EventCode="4769" User="Account Name"

PickleRick · ‎01-16-2024

1. Where are you putting those settings to?

2. What format are you ingesting your eventlogs in?

Yadukrishnan · ‎01-18-2024

I am making changes on opt splunk etc apps splunk_ta_win local inputs.conf. The Windows Event IDs are collected using Universal Forwarder. There is one another blacklist in the same configuration file which is working fine with out any issues.

PickleRick · ‎01-18-2024

OK.

How are you ingesting your events? key/value or XML?

Does the other (working) blacklist entry specify just the event code?

richgalloway · ‎01-16-2024

"Seem"? Either it worked or it didn't.

In which file did you add that line? On which Splunk instance? Did you restart Splunk after making the change?

---
If this reply helps you, Karma would be appreciated.

Yadukrishnan · ‎01-18-2024

Didnt work. Yes, I have restarted the services after making the changes.

Blacklist Windows Event ID 4769

heavy forwarder

indexer

inputs.conf

sourcetype

universal forwarder

Windows

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Splunk Community Badges!

How to find the worst searches in your Splunk environment and how to fix them

Share Your Feedback: On Admin Config Service (ACS)!

Join the Conversation

Blacklist Windows Event ID 4769

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.