From Windows Splunk Logging Cheat Sheet
Filter by Message, NOT by Event Code: It is common to blacklist event codes that are noisy or excessive that
impacts storage and licensing. By enabling Process Creation Success (4688) Process Terminate (4689) and Windows
Firewall Filtering Platform Connection Success (5156 & 5158) they will be the top four event codes in your Splunk
index. Filtering by the content of the Message or Field name is the better way to go. Once you understand what
normal noise is, has minimal risk to be exploited or important to security monitoring you can filter those out at the
client or server. For Windows, Splunk limits the blacklist to only 10 entries, so you will need to chain similar events
in one line. Here is an example of a proper exclusion:
[WinEventLog://Security]
disabled=0
current_only=1
blacklist = 4689,5158
blacklist1 = EventCode="4688" Message="(?:New Process
Name:).+(?:SplunkUniversalForwarder\bin\splunk.exe)|.+(?:SplunkUniversalForwarder\bin\splunkd.exe)|.+(?:Splunk
UniversalForwarder\bin\btool.exe)"
blacklist2 = EventCode="4688" Message="(?:New Process Name:).+(?:SplunkUniversalForwarder\bin\splunkwinprintmon.exe)|.+(?:SplunkUniversalForwarder\bin\splunkpowershell.exe)|.+(?:SplunkUniversalForwarder\bin\splunkregmon.exe)|.+(?:SplunkUniversalForwarder\bin\splunk-netmon.exe)|.+(?:SplunkUniversalForwarder\bin\splunkadmon.exe)|.+(?:SplunkUniversalForwarder\bin\splunkMonitorNoHandle.exe)|.+(?:SplunkUniversalForwarder\bin\splunkwinevtlog.exe)|.+(?:SplunkUniversalForwarder\bin\splunkperfmon.exe)|.+(?:SplunkUniversalForwarder\bin\splunk-wmi.exe)"
blacklist3 = EventCode="4688" Message="(?:Process Command Line:).+(?:--scheme)|.+(?:--no-log)|.+(?:-Embedding)"
... View more