Re: Inputs.conf blacklist with a negative regex

rafadvega · ‎01-31-2020

Hello,

I need to create a whitelist with the blacklist. I mean...

I have three blacklist in the windows security input:

[WinEventLog://Security]
disabled=0
index = wineventlog
source = XmlWinEventLog:Security
sourcetype = XmlWinEventLog
...
...
...
blacklist = 4624,4625,2222
blacklist1 = EventCode="4688" $XmlRegex="<Data Name='NewProcessName'>(C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunkd.exe)|(C:\\Program Files\\SplunkUniversalForwarder\\bin\\btool.exe)|(C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk.exe)|(C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe)|(C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-admon.exe)|(C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe)</Data>"
blacklist2 = EventCode="1111" $XmlRegex="<Data Name='CallerProcessName'>C:\\ProgramData\\random\\andom2\\dasdfa.exe</Data>"

I need to add another blacklist like this:

blacklist3 = EventCode="4663" $XmlRegex="<Data Name='ProcessName'>(C:\\Windows\\System32\\Taskmgr.exe)</Data>"

This blacklist remove all 4663 events with the processname Taskmgr.exe (works). But actually, I want to remove all 4663 events except, 4663 events with the process name Taskmgr.exe

I tried to use an expression like this, but it isn't work:

blacklist3 = EventCode="4663" $XmlRegex="<Data Name='ProcessName'>(?!C:\\Windows\\System32\\Taskmgr.exe)</Data>"
blacklist3 = EventCode="4663" $XmlRegex="<Data Name='ProcessName'>?!(C:\\Windows\\System32\\Taskmgr.exe)</Data>"
blacklist3 = EventCode="4663" $XmlRegex="<Data Name='ProcessName'>^((?!C:\\Windows\\System32\\Taskmgr.exe)[\s\S])*$</Data>"

Has it a solution? I can't use a whitelist because I have blacklists.

Thanks a lot!

xavierashe · ‎03-09-2020

Try this regex:

<Data Name='ProcessName'>((?!C:\\Windows\\System32\\Taskmgr.exe).)*$

vansicklj · ‎06-01-2021

I got your regex to match by swapping "?!" for "!?", adding a delimiter to ".exe", and removing a pair of parentheses:

<Data Name='ProcessName'>(!?(C:\\Windows\\System32\\Taskmgr\.exe)).*$

See https://regex101.com/r/vGIN1P/1

richgalloway · ‎01-31-2020

What makes you think you can't use a whitelist? There is nothing in the documentation that says you can't use both white and black lists.

---
If this reply helps you, Karma would be appreciated.

rafadvega · ‎01-31-2020

Thanks for answering. I tried this also:

[WinEventLog://Security]
disabled=0
index = wineventlog
source = XmlWinEventLog:Security
sourcetype = XmlWinEventLog
...
...
...
whitelist= EventCode="4663" $XmlRegex="(C:\Windows\System32\Taskmgr.exe)"
blacklist = 4624,4625,2222
blacklist1 = EventCode="4688" $XmlRegex="(C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe)|(C:\Program Files\SplunkUniversalForwarder\bin\btool.exe)|(C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe)|(C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe)|(C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe)|(C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe)"
blacklist2 = EventCode="1111" $XmlRegex="C:\ProgramData\random\andom2\dasdfa.exe"

But it isn't work. When I add the whitelist, all security events are filtered...

Inputs.conf blacklist with a negative regex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation