Security

How to create exception EventID 8004 - imputs.conf?

RenanMarcelino
Explorer

Hi everyone,

I'm trying to create an EventID 8004 exception from the C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe directory. I need to receive in Splunk EventID 8004 but not from RdrCEF.exe . I'm trying to use these blacklists below, but I still get events from this directory. I'm suspicious about the regex, perhaps incorrectly. Some help?

directory
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe

regex usage:
blacklist = EventCode = "^8004$" FullFilePath = "C:\\Program\sFiles\s\(x86\)\\Adobe\\Acrobat\sReader\sDC\\Reader\\acrocef\_1\\RdrCEF\.exe"

blacklist1 = EventCode = "^8004$" Message = "C:\\Program\sFiles\s\(x86\)\\Adobe\\Acrobat\sReader\sDC\\Reader\\acrocef\_1\\RdrCEF\.exe"

in event viwer the trigger is:
%PROGRAMFILES%\ADOBE\ACROBAT READER DC\READER\ACROCEF_1\RDRCEF.EXE

Labels (1)
0 Karma

RenanMarcelino
Explorer

Hello, @isoutamo .

I posted my imputs.conf iabove.

I appreciate it if you can help me 

 

0 Karma

RenanMarcelino
Explorer
[WinEventLog://Microsoft-Windows-AppLocker/EXE and DLL]
checkpointInterval = 5
current_only = 0
disabled = 0
index = "our indexer"
start_from = oldest
renderXml = 1
whitelist = 8000, 8004, 8007, 8008, 8029, 8032, 8035, 8036, 8040
blacklist = EventCode = "^8004$" FullFilePath = "C:\\Program\sFiles\s\(x86\)\\Adobe\\Acrobat\sReader\sDC\\Reader\\acrocef\_1\\RdrCEF\.exe"
blacklist1 = EventCode = "^8004$" Message = "C:\\Program\sFiles\s\(x86\)\\Adobe\\Acrobat\sReader\sDC\\Reader\\acrocef\_1\\RdrCEF\.exe"
_TCP_ROUTING = "our destiny"
0 Karma

isoutamo
SplunkTrust
SplunkTrust

I think that your white and black lists are not correct regular expressions. You should try to use something like

C:\\\\Program Files \(x86\)\\Adobe\\Acrobat Reader DC\\Reader\\acrocef\_1\\RdrCEF\.exe

as a FullFilePath. A good place to test those is regex101.com.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Can you post your real inputs.conf inside </> block?

RenanMarcelino
Explorer

follow the imputs.conf @isoutamo 

[WinEventLog://Microsoft-Windows-AppLocker/EXE and DLL]
checkpointInterval = 5
current_only = 0
disabled = 0
index = "our indexer"
start_from = oldest
renderXml = 1
whitelist = 8000, 8004, 8007, 8008, 8029, 8032, 8035, 8036, 8040
blacklist = EventCode = "^8004$" FullFilePath = "C:\\Program\sFiles\s\(x86\)\\Adobe\\Acrobat\sReader\sDC\\Reader\\acrocef\_1\\RdrCEF\.exe"
blacklist1 = EventCode = "^8004$" Message = "C:\\Program\sFiles\s\(x86\)\\Adobe\\Acrobat\sReader\sDC\\Reader\\acrocef\_1\\RdrCEF\.exe"
_TCP_ROUTING = "our destiny"

 

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...