×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
OpeKush
New Member
Member since: ‎05-14-2024
‎05-14-2024
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎05-14-2024
Activity Feed
Topics I've Started
View All

Re: Trouble Blacklisting Windows Event

by in Splunk Search
‎05-14-2024 06:25 AM
‎05-14-2024 06:25 AM
Tried that already, no dice. ... View more

Trouble Blacklisting Windows Event

by in Splunk Search
‎05-14-2024 05:42 AM
‎05-14-2024 05:42 AM
Hi I was wondering if there was a way I could blacklist the following event based on the event code and the account name under the Subject field. So I want to blacklist events of code 4663 with a subject name of COMPUTER8-55$. What would the regex for that look like? 05/10/2024 01:05:35 PM LogName=Sec EventCode=4670 EventType=0 ComputerName=myComputer.net SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=10000000 Keywords=Audit Success TaskCategory=Authorization Policy Change OpCode=Info Message=Permissions on an object were changed.   Subject: Security ID: S-0-20-35 Account Name: COMPUTER8-55$ Account Domain: myDomain Logon ID: 0x3E7   Object: Object Server: Security Object Type: Token Object Name: - Handle ID: 0x1718   Process: Process ID: 0x35c Process Name: C:\Windows\System32\svchost.exe   ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎05-14-2024 04:31 PM