Getting Data In

How to blacklist security events by regex?

AL3Z
Builder

Hi all,


I'm attempting to exclude specific undesired data from the security logs. Is there a way to minimize the number of items on the exclusion list, considering that we can only add up to 10 items to the blacklist due to limitations. Is there a possibility of consolidating the blacklist by, for example, appending a "|" (pipe) at the end of each blacklisted item, thereby reducing the total number of entries in the blacklist while still achieving the desired exclusion?

blacklist1 = EventCode="4662" Message="Object Type:(?!\s*(groupPolicyContainer|computer|user))"
blacklist2 = EventCode="4648|5145|4799|5447|4634|5156|4663|4656|5152|5157|4658|4673|4661|4690|4932|4933|5158|4957|5136|4674|4660|4670|5058|5061|4985|4965"
blacklist3 = EventCode="4688" Message="(?:New Process Name:).+(?:SplunkUniversalForwarder\\bin\\splunk.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunkd.exe)|.+(?:SplunkUniversalForwarder\\bin\\btool.exe)"
blacklist4 = EventCode="4688" Message="(?:New Process Name:).+(?:SplunkUniversalForwarder\\bin\\splunk-winprintmon.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunk-powershell.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunk-regmon.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunk-netmon.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunk-admon.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunk-winevtlog.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunk-perfmon.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunk-wmi.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunk\-winhostinfo\.exe)"
blacklist5 = EventCode="4688" Message="(?:Process Command Line:).+(?:system32\\SearchFilterHost.exe)|.+(?:find/i)|.+(?:WINDOWS\\system32\\conhost.exe)"
renderXml=true

Labels (1)
Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Yes, what you describe is allowed as long as the text after the '=' is a valid regular expression.

---
If this reply helps you, Karma would be appreciated.
0 Karma

AL3Z
Builder

Hi,  My ask is like can we adjust these regex under one or more blacklist so that we can add few more regex for limitation issue like 10 is max.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I believe I already said you can do that.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

ATTENTION!! We’re MOVING (not really)

Hey, all! In an effort to keep this Slack workspace secure and also to make our new members' experience easy, ...

Splunk Admins: Build a Smarter Stack with These Must-See .conf25 Sessions

  Whether you're running a complex Splunk deployment or just getting your bearings as a new admin, .conf25 ...

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...