blacklisting event code 4679. TaskCategory=Kerber...

nyajoefit22 · ‎12-19-2023

Hello,

I am trying to blacklist winevent code 4679 by TaskCategory=Kerberos Service Ticket Operations.

This regex is not working.

blacklist7 = EventCode="4769" TaskCategory="\w+\s\w+\s\w+\s\w+"

Ive also tried

blacklist7 = EventCode="4769" TaskCategory="Kerberos Service Ticket Operations"

gcusello · ‎12-19-2023

Hi @nyajoefit22,

you shoud try to use a regex not only for the TaskCategory field but for al the rule, something like this:

blacklist7 = EventCode\s*\=\s*4769.*TaskCategory\=\w+\s\w+\s\w+\s\w+

I could be more detailed if you can share a sample of your logs.

You can find many answer to this question in Community.

Ciao.

Giuseppe

Bo3432 · ‎12-20-2023

This is the log. According to the splunk blacklisting documentation ., event codes do not have to be in regex format.

LogName=Security
EventCode=4769
EventType=0
SourceName=Microsoft-Windows-Security-Auditing
Type=Information
RecordNumber=642560180
Keywords=Audit Success
TaskCategory=Kerberos Service Ticket Operations
OpCode=Info
Message=A Kerberos service ticket was requested.

gcusello · ‎12-20-2023

Hi @Bo3432 ,

as you can read at https://docs.splunk.com/Documentation/Splunk/9.1.2/Admin/Inputsconf blacklist requires a regex:

blacklist = <regular expression>

but also:

blacklist = <comma-separated list> | key=regex [key=regex]

so I prefer to use a full regex containing both the keywors.

In your case, you have a multiline log, so you have to add "(?ms)" to the beginning of the regex:

(?ms)EventCode\=4769.*TaskCategory\=\w+\s\w+\s\w+\s\w+

that you can test at https://regex101.com/r/ToPGX2/1

Ciao.

Giuseppe

blacklisting event code 4679. TaskCategory=Kerberos Service Ticket Operations

regex

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation