Exclude _PSSCRIPTPOLICYTEST_xxxxx.ps1 in fullfilepath in AppLocker events from forwarding to WEC - Githubissues

SwiftOnSecurity / sysmon-config

Sysmon configuration file template with default high-quality event tracing

4.68k stars 1.69k forks source link

Exclude _PSSCRIPTPOLICYTEST_xxxxx.ps1 in fullfilepath in AppLocker events from forwarding to WEC #184

Open divadiow opened 1 year ago

divadiow commented 1 year ago

is it possible to exclude the AppLocker test events, that Windows generates loads of, from being forwarded to our Windows event collector? Our sysmonconf file is the Swift sysmon.xml

the event XML has this information in the "filepath" and "fullfilepath" sections. eg

%OSDRIVE%\USERS\user123\APPDATA\LOCAL\TEMP__PSSCRIPTPOLICYTEST_ND0JBN3F.CWB.PS1