Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Nice windows event blacklisting
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist3 = EventCode="4688" Message="New Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi|optimize))\.exe)"
blacklist4 = EventCode="4689" Message="Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi|optimize))\.exe)"
@pmeyerson

This comment has been minimized.

Copy link

pmeyerson commented Jun 21, 2017

For some reason blacklist3 did not seem to work for me (6.6.1), but this did:
blacklist3 = EventCode="4688" Message="New Process Name:\s*(C:\Program Files\SplunkUniversalForwarder\bin\(?:btool|splunkd|splunk|splunk-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi)).exe)"

@automine

This comment has been minimized.

Copy link
Owner Author

automine commented Aug 7, 2017

Yep, you are correct. I've adjusted the regex, as well as added a character class for the drive letter for the install ([C-F]). Note that this could be a potential security issue. If you know for sure that all of your deployments should be on C:, then I would recommend replacing that character class with C.

@automine

This comment has been minimized.

Copy link
Owner Author

automine commented Sep 29, 2017

Updated to include the termination of processes (4689)

@automine

This comment has been minimized.

Copy link
Owner Author

automine commented Sep 29, 2017

Note, a lot of this is from other sources, like RF, and the Windows Splunk Logging Cheatsheet.

@automine

This comment has been minimized.

Copy link
Owner Author

automine commented Oct 30, 2017

Updated blacklist1 and blacklist2, as they were overfiltering. Thanks Brandon!

@password123456

This comment has been minimized.

Copy link

password123456 commented Mar 12, 2018

There is another way to configure not using blacklist filter.
If you not want REG-MON, WMI-MON,AD-MON,PERFMON and etc.. just disable it's function.

inputs.conf

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5

[perfmon]
interval = -1
[powershell]
interval = -1
[powershell2]
interval = -1
[admon]
interval = -1
[WinRegMon]
interval = -1
[WinNetMon]
interval = -1
[MonitorNoHandle]
interval = -1
[WinPrintMon]
interval = -1

@automine

This comment has been minimized.

Copy link
Owner Author

automine commented Dec 21, 2018

Added the |optimize to cover Windows indexers running the splunk-optimize.exe process.

@jpbarron

This comment has been minimized.

Copy link

jpbarron commented Jun 8, 2019

Since splunk is limited to 10 blacklists for Windows TA here is how I consolidated a few lines...

blacklist1 = EventCode="(4662|566)" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="(4656|4670|4663|4703|4658|4688)" Message="Account Name:(\W+\w+$)"
blacklist3 = EventCode="4624" Message="An account was successfully logged on"
blacklist4 = EventCode="(4688|4689)" Message="%SplunkUniversalForwarder%"
blacklist5 = EventCode="6278" Message="Network Policy Server granted full access to a user because the host met the defined health policy."

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.