Getting Data In

blacklist an event id 4670 with task category: Authorization Policy Change

Explorer

Hi, I am trying to blacklist an event id 4670 with task category: Authorization Policy Change

I've tried:

blacklist 1 = EventCode="4670" Task_Category="Authorization Policy Change"

blacklist 1 = EventCode="4670" TaskCategory="Authorization Policy Change"

blacklist 1 = EventCode="4670" Task_Category="s+Authorization Policy Change"

but none works....can someone please tell me what I am doing wrong?

Thank you in advance.

0 Karma

SplunkTrust
SplunkTrust

According to the docs (and from experience), it'll be "TaskCategory". If the TaskCategory is exactly "Authorization Policy Change" (which google says is likely, then number 2 should have worked. Of course, there's the space issue, which may be real or may just be the editor. I'm going to assume it's a copy and paste and thus the space is a problem. So, your blacklist should be

blacklist1 = EventCode="4670" TaskCategory="Authorization Policy Change"

I don't have any of those events in my logs, so if it doesn't work, please confirm that's exactly the right TaskCategory String.

0 Karma

SplunkTrust
SplunkTrust

Please check blacklist1 has no space in it.

0 Karma