Hxxps:///Documentation/Splunk/latest/Data/MonitorWindowseventlogdata#Use_blacklists_and_whitelists_to_filter_on_XML-based_events blacklist1 = $XmlRegex = The format for XML blacklist is described here In non XML format we have this blacklist blacklist3 = EventCode="4688" Message="New Process Name: (?i)(?::\Program Files\Splunk(?:UniversalForwarder)?\bin\(?:btool|splunkd|splunk|splunk-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi)).exe)" I'm trying to blacklist Windows Security Events in XML format.
0 Comments
Leave a Reply. |