Skip to content

Instantly share code, notes, and snippets.

@animetauren
Created December 14, 2023 16:03
Show Gist options
  • Save animetauren/4cf7e37348ca3af7a69e810b0e25cf95 to your computer and use it in GitHub Desktop.
Save animetauren/4cf7e37348ca3af7a69e810b0e25cf95 to your computer and use it in GitHub Desktop.
Regex to Drop Windows Events using Splunk Ingest Actions
blacklist1 = \bEventCode=(4662|566)\b[\s\S]*?\bObject Type:\s+(?!groupPolicyContainer)\b
blacklist2 = \bEventCode=(4656|4670|4663|4703|4658|4688)\b[\s\S]*?\bAccount Name:\s*([^\s\$]+[^\s\$])\b
blacklist3 = \bEventCode=4624\b[\s\S]*?\bAn account was successfully logged on(\n|\r)*\b
blacklist4 = \bEventCode=(4688|4689)\b[\s\S]*?\bProcess Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi|optimize))\.exe)\b
blacklist5 = \bEventCode=6278\b[\s\S]*?\bNetwork Policy Server granted full access to a user because the host met the defined health policy.\b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment