Solved: Can I use != in blacklist?

benbabich · ‎10-12-2017

I only want to see cmd.exe and blacklist everything else for EventCode 4688.

blacklist = EventCode="4688" Message="(?:New Process Name:).+(?:cmd.exe)" will remove cmd.exe but 'Message!=' doesn't do the opposite.

richgalloway · ‎10-12-2017

Perhaps a whitelist?

whitelist = EventCode="4688" Message="(?:New Process Name:).+(?:cmd.exe)"

---
If this reply helps you, Karma would be appreciated.

View solution in original post

benbabich · ‎10-13-2017

That does work but I have some inherited blacklists that would have made it easier (for other reasons not shown in the example) to do it in blacklist.

richgalloway · ‎10-12-2017

Perhaps a whitelist?

whitelist = EventCode="4688" Message="(?:New Process Name:).+(?:cmd.exe)"

---
If this reply helps you, Karma would be appreciated.

benbabich · ‎10-13-2017

I was really trying to do it in Blacklist due to some convoluted but prebuilt blacklists I inherited but I think I'll just have to build it out properly in the whitelist. It really is the best way to do it.

Can I use != in blacklist?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!