animetauren · December 14, 2023 16:03
diff --git a/drop_events.txt b/drop_events.txt
 blacklist1 = \bEventCode=(4662|566)\b[\s\S]*?\bObject Type:\s+(?!groupPolicyContainer)\b
 blacklist2 = \bEventCode=(4656|4670|4663|4703|4658|4688)\b[\s\S]*?\bAccount Name:\s*([^\s\$]+[^\s\$])\b
 blacklist3 = \bEventCode=4624\b[\s\S]*?\bAn account was successfully logged on(\n|\r)*\b
 blacklist4 = \bEventCode=(4688|4689)\b[\s\S]*?\bProcess Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi|optimize))\.exe)\b
 blacklist5 = \bEventCode=6278\b[\s\S]*?\bNetwork Policy Server granted full access to a user because the host met the defined health policy.\b
	blacklist1 = \bEventCode=(4662\|566)\b[\s\S]*?\bObject Type:\s+(?!groupPolicyContainer)\b
	blacklist2 = \bEventCode=(4656\|4670\|4663\|4703\|4658\|4688)\b[\s\S]?\bAccount Name:\s([^\s\$]+[^\s\$])\b
	blacklist3 = \bEventCode=4624\b[\s\S]?\bAn account was successfully logged on(\n\|\r)\b
	blacklist4 = \bEventCode=(4688\|4689)\b[\s\S]?\bProcess Name:\s(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool\|splunkd\|splunk\|splunk\-(?:MonitorNoHandle\|admon\|netmon\|perfmon\|powershell\|regmon\|winevtlog\|winhostinfo\|winprintmon\|wmi\|optimize))\.exe)\b
	blacklist5 = \bEventCode=6278\b[\s\S]*?\bNetwork Policy Server granted full access to a user because the host met the defined health policy.\b