Security
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create exception EventID 8004 - imputs.conf?

RenanMarcelino
Explorer
‎06-01-2023 06:52 AM

Hi everyone,

I'm trying to create an EventID 8004 exception from the C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe directory. I need to receive in Splunk EventID 8004 but not from RdrCEF.exe . I'm trying to use these blacklists below, but I still get events from this directory. I'm suspicious about the regex, perhaps incorrectly. Some help?

directory
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe

regex usage:
blacklist = EventCode = "^8004$" FullFilePath = "C:\\Program\sFiles\s\(x86\)\\Adobe\\Acrobat\sReader\sDC\\Reader\\acrocef\_1\\RdrCEF\.exe"

blacklist1 = EventCode = "^8004$" Message = "C:\\Program\sFiles\s\(x86\)\\Adobe\\Acrobat\sReader\sDC\\Reader\\acrocef\_1\\RdrCEF\.exe"

in event viwer the trigger is:
%PROGRAMFILES%\ADOBE\ACROBAT READER DC\READER\ACROCEF_1\RDRCEF.EXE

Labels (1)
Labels
0 Karma
Reply

RenanMarcelino
Explorer
‎06-01-2023 08:12 AM

Hello, @isoutamo .

I posted my imputs.conf iabove.

I appreciate it if you can help me 

 

0 Karma
Reply

RenanMarcelino
Explorer
‎06-01-2023 08:09 AM 
[WinEventLog://Microsoft-Windows-AppLocker/EXE and DLL]
checkpointInterval = 5
current_only = 0
disabled = 0
index = "our indexer"
start_from = oldest
renderXml = 1
whitelist = 8000, 8004, 8007, 8008, 8029, 8032, 8035, 8036, 8040
blacklist = EventCode = "^8004$" FullFilePath = "C:\\Program\sFiles\s\(x86\)\\Adobe\\Acrobat\sReader\sDC\\Reader\\acrocef\_1\\RdrCEF\.exe"
blacklist1 = EventCode = "^8004$" Message = "C:\\Program\sFiles\s\(x86\)\\Adobe\\Acrobat\sReader\sDC\\Reader\\acrocef\_1\\RdrCEF\.exe"
_TCP_ROUTING = "our destiny"
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-21-2023 05:32 AM

I think that your white and black lists are not correct regular expressions. You should try to use something like

C:\\\\Program Files \(x86\)\\Adobe\\Acrobat Reader DC\\Reader\\acrocef\_1\\RdrCEF\.exe

as a FullFilePath. A good place to test those is regex101.com.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-01-2023 07:14 AM

Can you post your real inputs.conf inside </> block?

Reply

RenanMarcelino
Explorer
‎06-01-2023 10:27 AM

follow the imputs.conf @isoutamo 

[WinEventLog://Microsoft-Windows-AppLocker/EXE and DLL]
checkpointInterval = 5
current_only = 0
disabled = 0
index = "our indexer"
start_from = oldest
renderXml = 1
whitelist = 8000, 8004, 8007, 8008, 8029, 8032, 8035, 8036, 8040
blacklist = EventCode = "^8004$" FullFilePath = "C:\\Program\sFiles\s\(x86\)\\Adobe\\Acrobat\sReader\sDC\\Reader\\acrocef\_1\\RdrCEF\.exe"
blacklist1 = EventCode = "^8004$" Message = "C:\\Program\sFiles\s\(x86\)\\Adobe\\Acrobat\sReader\sDC\\Reader\\acrocef\_1\\RdrCEF\.exe"
_TCP_ROUTING = "our destiny"

 

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
li.common.scroll-to.top