Hello,
Many thanks in advance for taking the time to read/consider my question, it's always appreciated!
I'm currently working on reducing the overhead of our existing Windows UF by adding to our blacklist in a way that effectively blacklists all login events for Windows where the Process Name is "-", since these are often extremely voluminous and often don't directly correlate with actual user logins (feel free to correct me if I'm wrong here). These are also indicated when the "Process ID" is "0x0", which is also shown by the blacklists I've attempted below:
The blacklists that I have tried to no avail are as follows:
blacklist = EventCode="4624" Message="(?:Process Name:).+(?:C:\\Windows\\System32\\services.exe)|.+(?:C:\\Windows\\System32\\winlogon.exe)|.+(?:C:\\Windows\\CCM\\CcmExec.exe)|.+(?:[-]\sNetwork)"
blacklist = EventCode="4624" Message="Process\sID:\s0x0"
blacklist = EventCode="4624" Message="(?:Process\sName:\s[-])"
Please let me know if I'm missing anything with any of those blacklists above, but so far that I've tested none of those blacklists actually eliminate the "Process Name" of "-" being sent to Splunk, which increases our license ingestion while providing essentially no new information or value.
Thanks in advance, any & all answers will be rewarded with karma!
Charlie
I've since discovered and tested the solution, I am posting this for future users who may have had the same question as me:
blacklist = EventCode="4624" Message="Process ID:\s+.*0x0"
I've since discovered and tested the solution, I am posting this for future users who may have had the same question as me:
blacklist = EventCode="4624" Message="Process ID:\s+.*0x0"