Security

How to create exception EventID 8004 - imputs.conf?

RenanMarcelino
Explorer

Hi everyone,

I'm trying to create an EventID 8004 exception from the C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe directory. I need to receive in Splunk EventID 8004 but not from RdrCEF.exe . I'm trying to use these blacklists below, but I still get events from this directory. I'm suspicious about the regex, perhaps incorrectly. Some help?

directory
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe

regex usage:
blacklist = EventCode = "^8004$" FullFilePath = "C:\\Program\sFiles\s\(x86\)\\Adobe\\Acrobat\sReader\sDC\\Reader\\acrocef\_1\\RdrCEF\.exe"

blacklist1 = EventCode = "^8004$" Message = "C:\\Program\sFiles\s\(x86\)\\Adobe\\Acrobat\sReader\sDC\\Reader\\acrocef\_1\\RdrCEF\.exe"

in event viwer the trigger is:
%PROGRAMFILES%\ADOBE\ACROBAT READER DC\READER\ACROCEF_1\RDRCEF.EXE

Labels (1)
0 Karma

RenanMarcelino
Explorer

Hello, @isoutamo .

I posted my imputs.conf iabove.

I appreciate it if you can help me 

 

0 Karma

RenanMarcelino
Explorer
[WinEventLog://Microsoft-Windows-AppLocker/EXE and DLL]
checkpointInterval = 5
current_only = 0
disabled = 0
index = "our indexer"
start_from = oldest
renderXml = 1
whitelist = 8000, 8004, 8007, 8008, 8029, 8032, 8035, 8036, 8040
blacklist = EventCode = "^8004$" FullFilePath = "C:\\Program\sFiles\s\(x86\)\\Adobe\\Acrobat\sReader\sDC\\Reader\\acrocef\_1\\RdrCEF\.exe"
blacklist1 = EventCode = "^8004$" Message = "C:\\Program\sFiles\s\(x86\)\\Adobe\\Acrobat\sReader\sDC\\Reader\\acrocef\_1\\RdrCEF\.exe"
_TCP_ROUTING = "our destiny"
0 Karma

isoutamo
SplunkTrust
SplunkTrust

I think that your white and black lists are not correct regular expressions. You should try to use something like

C:\\\\Program Files \(x86\)\\Adobe\\Acrobat Reader DC\\Reader\\acrocef\_1\\RdrCEF\.exe

as a FullFilePath. A good place to test those is regex101.com.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Can you post your real inputs.conf inside </> block?

RenanMarcelino
Explorer

follow the imputs.conf @isoutamo 

[WinEventLog://Microsoft-Windows-AppLocker/EXE and DLL]
checkpointInterval = 5
current_only = 0
disabled = 0
index = "our indexer"
start_from = oldest
renderXml = 1
whitelist = 8000, 8004, 8007, 8008, 8029, 8032, 8035, 8036, 8040
blacklist = EventCode = "^8004$" FullFilePath = "C:\\Program\sFiles\s\(x86\)\\Adobe\\Acrobat\sReader\sDC\\Reader\\acrocef\_1\\RdrCEF\.exe"
blacklist1 = EventCode = "^8004$" Message = "C:\\Program\sFiles\s\(x86\)\\Adobe\\Acrobat\sReader\sDC\\Reader\\acrocef\_1\\RdrCEF\.exe"
_TCP_ROUTING = "our destiny"

 

0 Karma
Get Updates on the Splunk Community!

Index This | What did the zero say to the eight?

June 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...

Splunk Observability Cloud's AI Assistant in Action Series: Onboarding New Hires & ...

This is the fifth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Now Playing: Splunk Education Summer Learning Premieres

It’s premiere season, and Splunk Education is rolling out new releases you won’t want to miss. Whether you’re ...