Skip to main content

vast limits GmbH and uberAgent are now part of Citrix, a business unit of Cloud Software Group. Learn more at Citrix.com.


This documentation does not apply to the most recent version of uberAgent. Click here for the latest version.

Event Data Filtering Examples

Article Purpose

This article is a pool of Event Data Filtering rules and gets extended continually. Sources could be support tickets or community posts.

The rules serve as a suggestion of what is possible with Event Data Filtering and must be tested before use in your own company.

First, read the official documentation on Event Data Filtering. A few examples are listed there. Then, browse through the rules below.

List of Rules

Logons

# Do not send data about logons of the service user "LogonTest" in domain "AD" and of local as well as domain admins
# Last rule update: 2021-12-22

[EventDataFilter]
Action = deny
Sourcetype = Logon:LogonDetail
Sourcetype = Logon:GroupPolicyCSEDetail2
Query = User == "AD\\LogonTest" OR User LIKE r"%\\administrator"

[EventDataFilter]
Action = deny
Sourcetype = Process:LogonProcesses
Query = ProcUser == "AD\\LogonTest" OR ProcUser LIKE r"%\\administrator"

Miscellaneous

# Do not send any data about the user "JohnDoe" in domain "AD"
# You need to list every source type with one of the following fields: User, ProcUser, or SessionUser
# A list of source types is available in the metrics documentation on https://uberagent.com/docs
# Last rule update: 2021-12-22

[EventDataFilter]
Action = deny
Sourcetype = Application:BrowserPerformanceChrome
Sourcetype = Application:BrowserWebRequests2
Sourcetype = Application:Errors
Sourcetype = Process:LogoffProcesses
Sourcetype = Process:LogonProcesses
Sourcetype = Process:NetworkTargetPerformance
Sourcetype = Process:ProcessDetail
Sourcetype = Process:ProcessStartup
Sourcetype = Process:ProcessStop
Sourcetype = ActivityMonitoring:ProcessTagging
Query = ProcUser == "AD\\JohnDoe"

[EventDataFilter]
Action = deny
Sourcetype = Application:NetworkConnectFailure
Sourcetype = Application:UIDelay
Sourcetype = Logoff:LogoffDetail
Sourcetype = Logon:GroupPolicyCSEDetail2
Sourcetype = Logon:LogonDetail
Sourcetype = Tags:UserHost
Query = User == "AD\\JohnDoe"

[EventDataFilter]
Action = deny
Sourcetype = Session:SessionDetail
Query = SessionUser == "AD\\JohnDoe"

Comments

Your email address will not be published. Required fields are marked *