Why is Windows event monitoring blacklist ignored?

cmlombardo · ‎05-18-2022

Hello there. I have this stanza configured for event logs on the Domain Controllers:

[WinEventLog://Security]
disabled = 0
index=winos_i
blacklist1 = EventCode="4662" Message="Object Name:\s+CN=(?!mycn-1|mycn-2)"
blacklist2 = 538,565,566,576,835,836,837,4931,4932,4933

Basically, I want only the 4662 events related to the CNs above.

Well... I push the configuration to the DCs... and suddenly i get ALL 4662 events.

What is wrong with that configuration? Can't figure this out.

Thank you...

cmlombardo · ‎05-19-2022

The REGEX matches for a message that does not contain either of those 2 CN. So all the matched events should be blacklisted. But they're not.

Negative lookahead is the only simple option to filter .those messages. Otherwise you'll need to use a very "unreadable" regex to have the same result.

Also, the negative lookahead to filter 4662 events is what is suggested here:

https://www.splunk.com/en_us/blog/tips-and-tricks/controlling-4662-messages-in-the-windows-security-...

richgalloway · ‎05-18-2022

You'll get all 4662 events if the regex doesn't match anything. Have you tested that regular expression on regex101.com? IME, negative lookaheads don't work well in Splunk so see if there's another way to get the same results.

---
If this reply helps you, Karma would be appreciated.

cmlombardo · ‎05-23-2022

Please see my post above.

The regex matches exactly what I need to exclude (all the events but those related to the OUs in the regex).

The negative lookahead is what is recommended in the blog.

Thank you.

Why is Windows event monitoring blacklist ignored?

blacklist

inputs.conf

universal forwarder

Windows

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?