Getting Data In

How to blacklist specific accounts in Windows security log event 4663?

splunkbacon
Explorer

I've seen several posts here, but none that really have a concrete answer on this. I'm trying to blacklist certain accounts in my inputs.conf on the Splunk universal forwarder for Windows event id 4663 (object access).

Does anyone know the correct way to blacklist several account names from appearing in the data forwarded to Splunk? I've seen some people say key off of user, others with message= followed by some regex with Account Name.

The below obviously does not work.

blacklist = EventCode="4663" Account Name="User, SERVER$, UserAccount1, UserAccount2"
0 Karma

lredij
Engager

Yes it is case sensitive
try this one
blacklist1 = EventCode="4663" ComputerName=" Computer.name" Message="\sAccount Name:\t\taccount1\s"

blacklist2 = EventCode="4663" ComputerName=" Computer.name" Message="\sAccount Name:\t\taccount2\s"

blacklist3 = EventCode="4663" ComputerName=" Computer.name" Message="\sAccount Name:\t\tComputername$\s"

Or you can combine accounts by using pipe |.

splunkbacon
Explorer

Thank you. I didn't try exactly what you have there but ended up getting this to work earlier.

blacklist= Message="Account\sName:\s+(account1|SYSTEM|account2|(Computername\$))"

Does anyone know if these entries are case sensitive or not?

0 Karma

lguinn2
Legend

This seems to be a common misconception about filtering Windows Event log inputs. You can't use any field that you want as a key. Fields are not keys; in fact, fields do not exist at input time. You can find the list of keys in the docs here.
If the information that you want can be found in any of these keys, you can write a regular expression that matches. For example:

blacklist = EventCode="4663" Message="User|SERVER$|UserAccount1|UserAccount2"

splunkbacon
Explorer

Thank you. I was able to get something similar to work after posting this.

Does anyone know if these regex are case sensitive by default? I believe we can't follow the regex with /i to ignore case?

0 Karma

lguinn2
Legend

Regular expressions are always case sensitive. Since Splunk uses PCRE, you should be able to make a regular expression case-INsensitive by putting (?i) at the beginning of the regex.

Get Updates on the Splunk Community!

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...