Documentation

Contents
Contents
Contents
Contents

uberAgent-eventdata-filter-vastlimits-Windows.conf

The following is the uberAgent-eventdata-filter-vastlimits-Windows.conf configuration file that ships with uberAgent. It contains eventdata filter rules for Windows curated by vast limits.

[EventDataFilter]
# Deny any DNS event caused by browsers.
Action = deny
Sourcetype = Process:DnsQuery
Query = ProcName in ["chrome.exe", "iexplore.exe", "firefox.exe", "msedge.exe", "opera.exe"]

[EventDataFilter]
# Deny any DNS event caused by uberAgent because it performs reverse lookups to assign IP addresses to hostnames.
Action = deny
Sourcetype = Process:DnsQuery
Query = ProcName == "uberagent.exe"

[EventDataFilter]
# Exclude "conhost.exe" (typically started from the path: \??\C:\WINDOWS\system32\conhost.exe)
Action = deny
Sourcetype = Process:ProcessStartup
Sourcetype = Process:ProcessStop
Query = regex_match_path(ProcPath, r"^(\\\?\?\\)?%SystemRoot%\\System32\\conhost\.exe$")

[EventDataFilter]
# Exclude processes whose name is exactly one of the given names.
Action = deny
Sourcetype = Process:ProcessDetail
Query = ProcName in ["cmd.exe", "conhost.exe", "csrss.exe", "lsm.exe", "smss.exe", "wininit.exe", "winlogon.exe"]

Leave a Reply

Your email address will not be published. Required fields are marked *