Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

blacklisting event code 4679. TaskCategory=Kerberos Service Ticket Operations

nyajoefit22
Loves-to-Learn Lots
‎12-19-2023 04:46 PM

Hello,

I am trying to blacklist winevent code 4679 by   TaskCategory=Kerberos Service Ticket Operations. 

This regex is not working. 

blacklist7 = EventCode="4769" TaskCategory="\w+\s\w+\s\w+\s\w+"

Ive also tried 

blacklist7 = EventCode="4769" TaskCategory="Kerberos Service Ticket Operations"

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-19-2023 11:36 PM

Hi @nyajoefit22,

you shoud try to use a regex not only for the TaskCategory field but for al the rule, something like this:

 

blacklist7 = EventCode\s*\=\s*4769.*TaskCategory\=\w+\s\w+\s\w+\s\w+

 

I could be more detailed if you can share a sample of your logs.

You can find many answer to this question in Community.

Ciao.

Giuseppe

0 Karma
Reply

Bo3432
Explorer
‎12-20-2023 07:07 AM

This is the log. According to the splunk blacklisting documentation ., event codes do not have to be in regex format. 



LogName=Security
EventCode=4769
EventType=0
SourceName=Microsoft-Windows-Security-Auditing
Type=Information
RecordNumber=642560180
Keywords=Audit Success
TaskCategory=Kerberos Service Ticket Operations
OpCode=Info
Message=A Kerberos service ticket was requested.

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-20-2023 07:28 AM

Hi @Bo3432 ,

as you can read at https://docs.splunk.com/Documentation/Splunk/9.1.2/Admin/Inputsconf blacklist requires a regex:

blacklist = <regular expression>

but also:

blacklist = <comma-separated list> | key=regex [key=regex]

so I prefer to use a full regex containing both the keywors.

In your case, you have a multiline log, so you have to add "(?ms)" to the beginning of the regex:

(?ms)EventCode\=4769.*TaskCategory\=\w+\s\w+\s\w+\s\w+

that you can test at https://regex101.com/r/ToPGX2/1

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...