This documentation does not apply to the most recent version of uberAgent. Click here for the latest version.
uberAgent-eventdata-filter-vastlimits-Windows.conf
The following is the uberAgent-eventdata-filter-vastlimits-Windows.conf
configuration file that ships with uberAgent. It contains eventdata filter rules for Windows curated by vast limits.
[EventDataFilter]
# Deny any DNS event caused by browsers.
Action = deny
Sourcetype = Process:DnsQuery
Query = ProcName in ["chrome.exe", "iexplore.exe", "firefox.exe", "msedge.exe", "opera.exe"]
[EventDataFilter]
# Deny any DNS event caused by uberAgent because it performs reverse lookups to assign IP addresses to hostnames.
Action = deny
Sourcetype = Process:DnsQuery
Query = ProcName == "uberagent.exe"
[EventDataFilter]
# Exclude "conhost.exe" (typically started from the path: \??\C:\WINDOWS\system32\conhost.exe)
Action = deny
Sourcetype = Process:ProcessStartup
Sourcetype = Process:ProcessStop
Query = regex_match_path(ProcPath, r"^(\\\?\?\\)?%SystemRoot%\\System32\\conhost\.exe$")
[EventDataFilter]
# Exclude processes whose name is exactly one of the given names.
Action = deny
Sourcetype = Process:ProcessDetail
Query = ProcName in ["cmd.exe", "conhost.exe", "csrss.exe", "lsm.exe", "smss.exe", "wininit.exe", "winlogon.exe"]