![]() īlacklist1 = EventCode="4662" Message="(?i)Object Type:(?!\s*groupPolic圜ontainer)"īlacklist2 = EventCode="566" Message="(?i)Object Type:(?!\s*groupPolic圜ontainer)"īlacklist4 = EventCode="4688" Message="(?im:New Process Name:).*(?i:SplunkUniversalForwarder\\bin\\)(?i:splunk\.exe|btool\.exe)"īlacklist5 = EventCode="4688" ComputerName="verybadscripts\.myco\.com" Message="(?im:New Process Name.*(\\grep\.exe|\\awk\.exe))"īlacklist6 = EventCode="(4624|4634|4672)" ComputerName="(?i:(. noisycomp|. loudercomp). \.myco\.com)" Message="(?im.*Account Name:\s .*(noisycomp|loudercomp).*\$)"Īs an example computers have names like abloudercomp01 and bcdloudercompx02 and so the account names would be abloudercomp01$ and bcdloudercompx02$ respectfully. opt/apps/splunk/etc/deployment-apps/Splunk_TA_windows/local/nfġ) Do we need to do anything for our splunk clients to pick up changes?Ģ) In terms of performance, and syntax does anyone have any concerns or recommendations to improve the performance on the 6 blacklists below? We believe they work but are unsure on performance. Looking for some assistance with nf on Windows Systems. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |