The way mine works is actually like this:
blacklist1 = EventCode="4688" Message="(A new process has been created)(?s).*(splunk-\w*mon|splunk-MonitorNoHandle)"
So the blacklist feature in the case looks for Windows Security Event Log events with an EventCode of 4688, and then reads into the Message field and uses regex to match the message contents. For this one I believe was blacklisting EC 4688 when the splunk-*mon process was in the message or splunk-MonitorNoHandle was in the message.
Another working example:
blacklist3 = EventCode="4688" Message="(A new process has been created)(?s).*(GoogleUpdate\.exe|FlashPlayerUpdateService\.exe)"
Again, looking at EventCode of 4688, and then checking for a match when the message contains "A new process has been created" and either GoogleUpdate.exe or FlashPlayerUpdateService.exe. If it matches, it gets dropped by the UF.
... View more