Splunk Search

Blacklist WinEventLog::/Security with user names ending in $

ericrenfro
New Member

I'm trying to get a blacklisted log entry that works on Universal Forwarders to filter out specific event codes with user fields that end in $ in their value.

What I have now, works on my test environment with uploaded sample logs, but not directly on the Universal Forwarder itself:

blacklist1 = EventCode="(4624|4634)" user=".*\$"
blacklist2 = EventCode="4672" Account_Name=".*\$"

What can I do to get this right so it actually works? I know that in the event log, raw, the matching line actually is space indented and something like:

...
Subject:
  Security ID:    S-1-5-18
  Account Name:   something$
  Account Domain:   domain
...

Thank you!

0 Karma

spayneort
Contributor

Try these:

blacklist1 = EventCode="4624" Message="(?ms)New\sLogon:.*?Account\sName:[^\n]+\$$"
blacklist2 = EventCode="(4634|4672)" Message="(?m)Account\sName:[^\n]+\$$"
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...