Skip to content

Instantly share code, notes, and snippets.

@animetauren
Last active April 19, 2023 19:50
Show Gist options
  • Save animetauren/0b2c74c600c7ddd5a969ae025e0a0321 to your computer and use it in GitHub Desktop.
Save animetauren/0b2c74c600c7ddd5a969ae025e0a0321 to your computer and use it in GitHub Desktop.
Windows Event Blacklisting for Splunk
blacklist1 = EventCode="(4662|566)" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="(4656|4670|4663|4703|4658|4688)" Message="Account Name:\s*([^\s\$]+[^\s\$])"
blacklist3 = EventCode="4624" Message="An account was successfully logged on(\n|\r)*"
blacklist4 = EventCode="(4688|4689)" Message="Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi|optimize))\.exe)"
blacklist5 = EventCode="6278" Message="Network Policy Server granted full access to a user because the host met the defined health policy."
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment