Splunk_TA_Windows event blacklist not working

vsskishore · ‎11-16-2018

I have below configuration in Splunk_TA_Windows inputs.conf to blacklist the NT AUTHORITY\SYSTEM events in 4663 code.
But my blacklist3 is not working as expected, still I get the events indexed.
Can some one help me in resolving the issue ?

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist3 = EventCode="4663" Message="Security ID:(\w[NT]\s\w+.\w+)
renderXml=false
index = winlogs

FrankVl · ‎11-19-2018

Have you checked whether that regex is correct? Security ID:(\w[NT]\s\w+.\w+) doesn't seem entirely accurate to match Security ID: NT AUTHORITY\SYSTEM. Perhaps simply try Message=Security ID:\s*NT\sAUTHORITY\\SYSTEM or something along those lines?

vsskishore · ‎11-19-2018

Hey FrankVI,
I've tried the given suggestion but no luck.

vsskishore · ‎11-16-2018

blacklist3 = EventCode="4663" Message="Security ID:(\w[NT]\s\w+.\w+)"
this is not working.

Splunk_TA_Windows event blacklist not working

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!