I'm trying to create a blacklist for several Event IDs to exclude any events with multiple user accounts. For example, I'd like to filter EventID 4688 for any logs where the Account Name is Blank, any service account that begins with svc, any computer account that ends with $, etc.
I've tried the following, but I don't think either syntax is correct and i'm not sure how to include wildcards.
blacklist1=EventCode="4624,4625,4688" Message="Account Name:\s+$s+"
blacklist2=EventCode=%^(4624|4625|4688)$% User=%svc% %$% % %
NOTE: The 2 blacklist lines are the formats I've tried. I did not have both lines running at the same time.
What i'm looking for is essentially something like this:
Blacklist = EventID1, 2, 3 Account=*$, svc*, *(blank)*
I've tried using regex101 and regexer, but I feel i'm just not grasping the syntax of RegEx in general. Any help would be appreciated!
Understanding regular expressions (even a little) is critical to getting blacklists to work.
There is one wildcard character in regexes: .
. It (and just about anything else) can be following by a quantifier that says how many of that character are allowed. *
means any number, +
means at least one, and ?
means one or none. There are other quantifiers, but that's a more advanced topic.
There are some special characters to know about. $
means end-of-line, ^
means beginning-of-line, |
separates optional matches, and '\' cancels a special character. Anything that is not a special character or quantifier is literal text.
Armed with that information, your example blacklist1 would match only an event with an EventCode field that contains 3 numbers (not gonna happen). Blacklist2 is not valid because it contains two strings without matching keywords.
Try these:
blacklist1 = EventCode="4624|4625|4688" Message="Account Name:\s+\$.*"
blacklist2 = EventCode="4624|4625|4688" User=".*\$|svc.*|.*\s+.*"
So i've tried both of your options, but I'm still getting events coming in with Account Names/User names listed in the blacklist (computer$, svc, blank, etc)
Closely examine the Message and User fields of the unwanted events. Make sure the contents match the regular expressions in your blacklists. If they don't, adjust the regexes as needed.