Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

blacklisting event code 4679. TaskCategory=Kerberos Service Ticket Operations

nyajoefit22
Loves-to-Learn Lots
‎12-19-2023 04:46 PM

Hello,

I am trying to blacklist winevent code 4679 by   TaskCategory=Kerberos Service Ticket Operations. 

This regex is not working. 

blacklist7 = EventCode="4769" TaskCategory="\w+\s\w+\s\w+\s\w+"

Ive also tried 

blacklist7 = EventCode="4769" TaskCategory="Kerberos Service Ticket Operations"

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-19-2023 11:36 PM

Hi @nyajoefit22,

you shoud try to use a regex not only for the TaskCategory field but for al the rule, something like this:

 

blacklist7 = EventCode\s*\=\s*4769.*TaskCategory\=\w+\s\w+\s\w+\s\w+

 

I could be more detailed if you can share a sample of your logs.

You can find many answer to this question in Community.

Ciao.

Giuseppe

0 Karma
Reply

Bo3432
Explorer
‎12-20-2023 07:07 AM

This is the log. According to the splunk blacklisting documentation ., event codes do not have to be in regex format. 



LogName=Security
EventCode=4769
EventType=0
SourceName=Microsoft-Windows-Security-Auditing
Type=Information
RecordNumber=642560180
Keywords=Audit Success
TaskCategory=Kerberos Service Ticket Operations
OpCode=Info
Message=A Kerberos service ticket was requested.

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-20-2023 07:28 AM

Hi @Bo3432 ,

as you can read at https://docs.splunk.com/Documentation/Splunk/9.1.2/Admin/Inputsconf blacklist requires a regex:

blacklist = <regular expression>

but also:

blacklist = <comma-separated list> | key=regex [key=regex]

so I prefer to use a full regex containing both the keywors.

In your case, you have a multiline log, so you have to add "(?ms)" to the beginning of the regex:

(?ms)EventCode\=4769.*TaskCategory\=\w+\s\w+\s\w+\s\w+

that you can test at https://regex101.com/r/ToPGX2/1

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...