Splunk Search

Regex challenge: How can I blacklist all 4662 events unless they are related to group policy or DNS?

dw385
Explorer

I'm struggling to find the proper regex to adjust the blacklist for 4662 events.
I want to blacklist all 4662 events unless they are related to group policy or DNS.

I've tried a number of combinations. My latest running example is:

blacklist1 = EventCode="4662" Message="Object Type:\s+(?!(groupPolicyContainer|dnsNode))"

Using this I get back no 4662 events.
So far while trying to research and understand RegEx I haven't figured out how to make this work.

swong_splunk
Splunk Employee
Splunk Employee

Give this a try:

blacklist1 = EventCode="4662" Message="Object Type:(?!\s*(groupPolicyContainer|dnsNode))"

bheemireddi
Communicator

dw385,

So are you saying this example Regex in your inputs.conf working or not working? to what you are trying to achieve? Can you clarify your question?

0 Karma

dw385
Explorer

I'm trying to ignore all events with the ID 4662 unless they are from the object type "groupPolicyContainer" or "dnsNode".

Example message field from an event:
An operation was performed on an object.

Subject :
    Security ID:        domain\user
    Account Name:       user
    Account Domain:     domain
    Logon ID:       0x57634DF

Object:
    Object Server:      DS
    Object Type:        groupPolicyContainer
    Object Name:        CN=Configuration,DC=domain,DC=domain
    Handle ID:      0x0

Operation:
    Operation Type:     Object Access
    Accesses:       Control Access

    Access Mask:        0x100
    Properties:     Control Access
        Replicating Directory Changes
    configuration


Additional Information:
    Parameter 1:        -
    Parameter 2:

The out of the box config for the Windows TA contains this blacklist entry:

blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"

I'm just trying to also include dnsNode with groupPolicyContainer to index those two types of events but ignore everything else.

I thought it would just be an OR as I listed above but that config does not work.

blacklist1 = EventCode="4662" Message="Object Type:\s+(?!(groupPolicyContainer)|(dnsNode))"

This actually causes every 4662 event to be indexed, regardless of object type.

My first attempt was

blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer|dnsNode)"

which causes all 4663 events to be indexed.

Removing the negation the regex appears to work to match on an event. I suspect there's something about the ?! I haven't figured out yet.

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...