Getting Data In

How to blacklist security events by regex?

AL3Z
Builder

Hi all,


I'm attempting to exclude specific undesired data from the security logs. Is there a way to minimize the number of items on the exclusion list, considering that we can only add up to 10 items to the blacklist due to limitations. Is there a possibility of consolidating the blacklist by, for example, appending a "|" (pipe) at the end of each blacklisted item, thereby reducing the total number of entries in the blacklist while still achieving the desired exclusion?

blacklist1 = EventCode="4662" Message="Object Type:(?!\s*(groupPolicyContainer|computer|user))"
blacklist2 = EventCode="4648|5145|4799|5447|4634|5156|4663|4656|5152|5157|4658|4673|4661|4690|4932|4933|5158|4957|5136|4674|4660|4670|5058|5061|4985|4965"
blacklist3 = EventCode="4688" Message="(?:New Process Name:).+(?:SplunkUniversalForwarder\\bin\\splunk.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunkd.exe)|.+(?:SplunkUniversalForwarder\\bin\\btool.exe)"
blacklist4 = EventCode="4688" Message="(?:New Process Name:).+(?:SplunkUniversalForwarder\\bin\\splunk-winprintmon.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunk-powershell.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunk-regmon.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunk-netmon.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunk-admon.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunk-winevtlog.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunk-perfmon.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunk-wmi.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunk\-winhostinfo\.exe)"
blacklist5 = EventCode="4688" Message="(?:Process Command Line:).+(?:system32\\SearchFilterHost.exe)|.+(?:find/i)|.+(?:WINDOWS\\system32\\conhost.exe)"
renderXml=true

Labels (1)
Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Yes, what you describe is allowed as long as the text after the '=' is a valid regular expression.

---
If this reply helps you, Karma would be appreciated.
0 Karma

AL3Z
Builder

Hi,  My ask is like can we adjust these regex under one or more blacklist so that we can add few more regex for limitation issue like 10 is max.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I believe I already said you can do that.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...