As we have recently enabled various audit settings on our domain, we now have 4662 events being generated on the DCs. I am now trying to reduce the number of 4662 events being forwarded to our Splunk backend on the "front end" by tuning the inputs.conf on the DCs. The desired situation is that only events that contain one of the GUIDs that indicate a potential DCSync attack are being forwarded to Splunk: "Replicating Directory Changes all", "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2" , "1131f6ac-9c07-11d1-f79f-00c04fc2dcd2"or "9923a32a+-3607-11d2-b9be-0000f87a36b2". (from https://www.praetorian.com/blog/active-directory-visualization-for-blue-teams-and-threat-hunters/) So dropping all 4662 events, except if they match any of these GUIDs. I've been playing with the existing blacklist line for events 4662 to fulfil this purpose, but can't seem to get it to work. Not even for one of these GUIDs like for example the below: blacklist1 = EventCode="4662" Message="Properties:\sControl\sAccess\s^(?!.*{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2})" Obviously I've restarted the Splunk forwarder after every tweak. Anybody that can help with compiling a proper blacklist entry? ... View more