Merge pull request #4 from Neo23x0/SwiftOnSecurity-PRs

Mirror Pullrequest by DustyMMiller (Add Splunk exclusions per sysmon-modular SwiftOnSecurity#156)
Neo23x0 · Jul 30, 2021 · 58d6cc5 · 58d6cc5
2 parents 454b72e + c56d1ab
commit 58d6cc5
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
@@ -226,6 +226,13 @@
 			<!--SECTION: Google-->
 			<CommandLine condition="begin with">"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=</CommandLine> <!--Google:Chrome: massive command-line arguments-->
 			<CommandLine condition="begin with">"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=</CommandLine> <!--Google:Chrome: massive command-line arguments-->
+			<!--SECTION: Splunk-->
+			<Image condition="contains">:\Program Files\Splunk\bin\</Image> <!--Splunk: Very noisy if using Universal Forwarders-->
+			<ParentImage condition="end with">:\Program Files\Splunk\bin\splunkd.exe</ParentImage> <!--Splunk: Very noisy if using Universal Forwarders-->
+			<ParentImage condition="end with">:\Program Files\Splunk\bin\splunk.exe</ParentImage> <!--Splunk: Very noisy if using Universal Forwarders-->
+			<Image condition="contains">:\Program Files\SplunkUniversalForwarder\bin\</Image> <!--Splunk: Very noisy if using Universal Forwarders-->
+			<ParentImage condition="end with">:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</ParentImage> <!--Splunk: Very noisy if using Universal Forwarders-->
+			<ParentImage condition="end with">:\Program Files\SplunkUniversalForwarder\bin\splunk.exe</ParentImage> <!--Splunk: Very noisy if using Universal Forwarders-->
 		</ProcessCreate>
 	</RuleGroup>