Documentation

Contents
Contents
Contents
Contents

uberAgent-eventdata-filter-sysmon.conf

The following is the uberAgent-eventdata-filter-sysmon.conf configuration file that ships with uberAgent. It contains eventdata filter rules derived from Sysmon for use with uberAgent

#
# The rules are converted from sysmonconfig-export.xml.
# GitHub repository at https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml
# Git Commit: cbc22e8
#

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".arpa.")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".arpa")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".msftncsi.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "..localmachine"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "localhost"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, "-pushp.svc.ms")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".b-msedge.net")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".bing.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".hotmail.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".live.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".live.net")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".s-microsoft.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".microsoft.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".microsoftonline.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".microsoftstore.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".ms-acdc.office.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".msedge.net")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".msn.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".msocdn.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".skype.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".skype.net")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".windows.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".windows.net.nsatc.net")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".windowsupdate.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".xboxlive.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "login.windows.net"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".activedirectory.windowsazure.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".aria.microsoft.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".msauth.net")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".msftauth.net")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".office.net")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".opinsights.azure.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".res.office365.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "acdc-direct.office.com"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "atm-fp-direct.office.com"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "loki.delve.office.com"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "management.azure.com"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "messaging.office.com"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "outlook.office365.com"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "portal.azure.com"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "protection.outlook.com"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "substrate.office.com"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".measure.office.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".adobe.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".adobe.io")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".mozaws.net")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".mozilla.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".mozilla.net")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".mozilla.org")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".spotify.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".spotify.map.fastly.net")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".wbx2.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".webex.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "clients1.google.com"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "clients2.google.com"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "clients3.google.com"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "clients4.google.com"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "clients5.google.com"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "clients6.google.com"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "safebrowsing.googleapis.com"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".akadns.net")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".netflix.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, "aspnetcdn.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "ajax.googleapis.com"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "cdnjs.cloudflare.com"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "fonts.googleapis.com"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".typekit.net")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "cdnjs.cloudflare.com"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".stackassets.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".steamcontent.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "play.google.com"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "content-autofill.googleapis.com"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".disqus.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".fontawesome.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "disqus.com"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".1rx.io")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".2mdn.net")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".3lift.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".adadvisor.net")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".adap.tv")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".addthis.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".adform.net")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".adnxs.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".adroll.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".adrta.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".adsafeprotected.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".adsrvr.org")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".adsymptotic.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".advertising.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".agkn.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".amazon-adsystem.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".amazon-adsystem.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".analytics.yahoo.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".aol.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".betrad.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".bidswitch.net")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".casalemedia.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".chartbeat.net")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".cnn.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".convertro.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".criteo.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".criteo.net")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".crwdcntrl.net")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".demdex.net")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".domdex.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".dotomi.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".doubleclick.net")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".doubleverify.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".emxdgt.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".everesttech.net")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".exelator.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".google-analytics.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".googleadservices.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".googlesyndication.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".googletagmanager.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".googlevideo.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".gstatic.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".gvt1.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".gvt2.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".ib-ibi.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".jivox.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".krxd.net")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".lijit.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".mathtag.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".moatads.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".moatpixel.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".mookie1.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".myvisualiq.net")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".netmng.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".nexac.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".openx.net")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".optimizely.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".outbrain.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".pardot.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".phx.gbl")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".pinterest.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".pubmatic.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".quantcount.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".quantserve.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".revsci.net")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".rfihub.net")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".rlcdn.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".rubiconproject.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".scdn.co")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".scorecardresearch.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".serving-sys.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".sharethrough.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".simpli.fi")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".sitescout.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".smartadserver.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".snapads.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".spotxchange.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".taboola.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".taboola.map.fastly.net")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".tapad.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".tidaltv.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".trafficmanager.net")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".tremorhub.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".tribalfusion.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".turn.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".twimg.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".tynt.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".w55c.net")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".ytimg.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".zorosrv.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "1rx.io"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "adservice.google.com"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "ampcid.google.com"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "clientservices.googleapis.com"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "googleadapis.l.google.com"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "imasdk.googleapis.com"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "l.google.com"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "ml314.com"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "mtalk.google.com"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "update.googleapis.com"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "www.googletagservices.com"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".pscp.tv")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".amazontrust.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".digicert.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".globalsign.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".globalsign.net")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".intel.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".symcb.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".symcd.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".thawte.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".usertrust.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".verisign.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, "ocsp.identrust.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, "pki.goog")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "msocsp.com"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "ocsp.comodoca.com"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "ocsp.entrust.net"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "ocsp.godaddy.com"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "ocsp.int-x3.letsencrypt.org"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "ocsp.msocsp.com"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, "pki.goog")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "ocsp.godaddy.com"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, "amazontrust.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "ocsp.sectigo.com"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "pki-goog.l.google.com"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, ".usertrust.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "ocsp.comodoca.com"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "ocsp.verisign.com"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "ocsp.entrust.net"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = iendswith(DnsRequest, "ocsp.identrust.com")

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "status.rapidssl.com"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "status.thawte.com"

[EventDataFilter]
# Source: https://github.com/SwiftOnSecurity/sysmon-config
Action = deny
Sourcetype = Process:DnsQuery
Query = DnsRequest == "ocsp.int-x3.letsencrypt.org"

Leave a Reply

Your email address will not be published. Required fields are marked *