Splunk Search

Regex challenge: How can I blacklist all 4662 events unless they are related to group policy or DNS?

dw385
Explorer

I'm struggling to find the proper regex to adjust the blacklist for 4662 events.
I want to blacklist all 4662 events unless they are related to group policy or DNS.

I've tried a number of combinations. My latest running example is:

blacklist1 = EventCode="4662" Message="Object Type:\s+(?!(groupPolicyContainer|dnsNode))"

Using this I get back no 4662 events.
So far while trying to research and understand RegEx I haven't figured out how to make this work.

swong_splunk
Splunk Employee
Splunk Employee

Give this a try:

blacklist1 = EventCode="4662" Message="Object Type:(?!\s*(groupPolicyContainer|dnsNode))"

bheemireddi
Communicator

dw385,

So are you saying this example Regex in your inputs.conf working or not working? to what you are trying to achieve? Can you clarify your question?

0 Karma

dw385
Explorer

I'm trying to ignore all events with the ID 4662 unless they are from the object type "groupPolicyContainer" or "dnsNode".

Example message field from an event:
An operation was performed on an object.

Subject :
    Security ID:        domain\user
    Account Name:       user
    Account Domain:     domain
    Logon ID:       0x57634DF

Object:
    Object Server:      DS
    Object Type:        groupPolicyContainer
    Object Name:        CN=Configuration,DC=domain,DC=domain
    Handle ID:      0x0

Operation:
    Operation Type:     Object Access
    Accesses:       Control Access

    Access Mask:        0x100
    Properties:     Control Access
        Replicating Directory Changes
    configuration


Additional Information:
    Parameter 1:        -
    Parameter 2:

The out of the box config for the Windows TA contains this blacklist entry:

blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"

I'm just trying to also include dnsNode with groupPolicyContainer to index those two types of events but ignore everything else.

I thought it would just be an OR as I listed above but that config does not work.

blacklist1 = EventCode="4662" Message="Object Type:\s+(?!(groupPolicyContainer)|(dnsNode))"

This actually causes every 4662 event to be indexed, regardless of object type.

My first attempt was

blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer|dnsNode)"

which causes all 4663 events to be indexed.

Removing the negation the regex appears to work to match on an event. I suspect there's something about the ?! I haven't figured out yet.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...