uberAgent

Event Data Filtering Examples

Article Purpose

This article is a pool of Event Data Filtering rules and gets extended continually. Sources could be support tickets or community posts.

The rules serve as a suggestion of what is possible with Event Data Filtering and must be tested before use in your own company.

First, read the official documentation on Event Data Filtering. A few examples are listed there. Then, browse through the rules below.

List of Rules

Logons

# Do not send data about logons of the service user "LogonTest" in domain "AD" and of local as well as domain admins
# Last rule update: 2021-12-22

[EventDataFilter]
Action = deny
Sourcetype = Logon:LogonDetail
Sourcetype = Logon:GroupPolicyCSEDetail2
Query = User == "AD\\LogonTest" OR User LIKE r"%\\administrator"

[EventDataFilter]
Action = deny
Sourcetype = Process:LogonProcesses
Query = ProcUser == "AD\\LogonTest" OR ProcUser LIKE r"%\\administrator"
<!--NeedCopy-->

Miscellaneous

# Do not send any data about the user "JohnDoe" in domain "AD"
# You need to list every source type with one of the following fields: User, ProcUser, or SessionUser
# A list of source types is available in the metrics documentation on /en-us/uberagent/
# Last rule update: 2021-12-22

[EventDataFilter]
Action = deny
Sourcetype = Application:BrowserPerformanceChrome
Sourcetype = Application:BrowserWebRequests2
Sourcetype = Application:Errors
Sourcetype = Process:LogoffProcesses
Sourcetype = Process:LogonProcesses
Sourcetype = Process:NetworkTargetPerformance
Sourcetype = Process:ProcessDetail
Sourcetype = Process:ProcessStartup
Sourcetype = Process:ProcessStop
Sourcetype = ActivityMonitoring:ProcessTagging
Query = ProcUser == "AD\\JohnDoe"

[EventDataFilter]
Action = deny
Sourcetype = Application:NetworkConnectFailure
Sourcetype = Application:UIDelay
Sourcetype = Logoff:LogoffDetail
Sourcetype = Logon:GroupPolicyCSEDetail2
Sourcetype = Logon:LogonDetail
Sourcetype = Tags:UserHost
Query = User == "AD\\JohnDoe"

[EventDataFilter]
Action = deny
Sourcetype = Session:SessionDetail
Query = SessionUser == "AD\\JohnDoe"
<!--NeedCopy-->
Event Data Filtering Examples