Filter alerts based on token data

[wilmerism]

This idea comes from recent issue > DNS name contains an invalid character seen in command logs #183

RMM performs a lot of "LOLBINS" commands on the network. With the above issue having the canary tonken fail to trigger on the RMM but suceed on a genuine user is somthing nice to be able to do.

I have a server where i cant change the RMM ( all the others I can) I plan to keep the "faulty" not fixed #183 tokens in place on that server, but replace no all others with the fixed token.

So having baybe a KB article on how to change the regex or even a "exclude if username = john" type feature may have some value to other users.
Another evolution of this maybe a time value in there, ie so canary will only trigger if 8pm > 8am