Splunk Search

Regex challenge: How can I blacklist all 4662 events unless they are related to group policy or DNS?

dw385
Explorer

I'm struggling to find the proper regex to adjust the blacklist for 4662 events.
I want to blacklist all 4662 events unless they are related to group policy or DNS.

I've tried a number of combinations. My latest running example is:

blacklist1 = EventCode="4662" Message="Object Type:\s+(?!(groupPolicyContainer|dnsNode))"

Using this I get back no 4662 events.
So far while trying to research and understand RegEx I haven't figured out how to make this work.

swong_splunk
Splunk Employee
Splunk Employee

Give this a try:

blacklist1 = EventCode="4662" Message="Object Type:(?!\s*(groupPolicyContainer|dnsNode))"

bheemireddi
Communicator

dw385,

So are you saying this example Regex in your inputs.conf working or not working? to what you are trying to achieve? Can you clarify your question?

0 Karma

dw385
Explorer

I'm trying to ignore all events with the ID 4662 unless they are from the object type "groupPolicyContainer" or "dnsNode".

Example message field from an event:
An operation was performed on an object.

Subject :
    Security ID:        domain\user
    Account Name:       user
    Account Domain:     domain
    Logon ID:       0x57634DF

Object:
    Object Server:      DS
    Object Type:        groupPolicyContainer
    Object Name:        CN=Configuration,DC=domain,DC=domain
    Handle ID:      0x0

Operation:
    Operation Type:     Object Access
    Accesses:       Control Access

    Access Mask:        0x100
    Properties:     Control Access
        Replicating Directory Changes
    configuration


Additional Information:
    Parameter 1:        -
    Parameter 2:

The out of the box config for the Windows TA contains this blacklist entry:

blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"

I'm just trying to also include dnsNode with groupPolicyContainer to index those two types of events but ignore everything else.

I thought it would just be an OR as I listed above but that config does not work.

blacklist1 = EventCode="4662" Message="Object Type:\s+(?!(groupPolicyContainer)|(dnsNode))"

This actually causes every 4662 event to be indexed, regardless of object type.

My first attempt was

blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer|dnsNode)"

which causes all 4663 events to be indexed.

Removing the negation the regex appears to work to match on an event. I suspect there's something about the ?! I haven't figured out yet.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...

SplunkTrust | 2024 SplunkTrust Application Period is Open!

It's that time again, folks! That's right, the application/nomination period for the 2024 SplunkTrust is ...