Getrektscrub 224
Reputation: 1
Splunk Blacklisting
Hi I was wondering if there was a way I could blacklist the following events in Splunk based on the event code and the account name under the Subject field. So I want to blacklist events of code 4663 with a subject name of COMPUTER8-55$. What would the regex for that look like?
05/10/2024 01:05:35 PM
LogName=Sec
EventCode=4670
EventType=0
ComputerName=myComputer.net
SourceName=Microsoft Windows security auditing.
Type=Information
RecordNumber=10000000
Keywords=Audit Success
TaskCategory=Authorization Policy Change
OpCode=Info
Message=Permissions on an object were changed.
Subject:
Security ID: S-0-20-35
Account Name: COMPUTER8-55$
Account Domain: myDomain
Logon ID: 0x3E7
Object:
Object Server: Security
Object Type: Token
Object Name: -
Handle ID: 0x1718
Process:
Process ID: 0x35c
Process Name: C:\Windows\System32\svchost.exe
This is what I tried blacklist1 = EventCode=(4663) Message=(?ms).*Subject:.*Account\sName:\s+CLIENT6-44$ This does not work as the event still gets pushed to the indexer from the forwarder.
Upvotes: 0
Views: 45