Stuart Brown StoobertB

## rules.json
{
  "references": [
    "https://raw.githubusercontent.com/cavi-au/Consent-O-Matic/master/rules/asus.json",
    "https://raw.githubusercontent.com/cavi-au/Consent-O-Matic/master/rules/allekringloopwinkels.json",
    "https://raw.githubusercontent.com/cavi-au/Consent-O-Matic/master/rules/airbnb.json",
    "https://raw.githubusercontent.com/cavi-au/Consent-O-Matic/master/rules/arteradio.json",
    "https://raw.githubusercontent.com/cavi-au/Consent-O-Matic/master/rules/alandsbanken.json",
    "https://raw.githubusercontent.com/cavi-au/Consent-O-Matic/master/rules/admiral.json",
    "https://raw.githubusercontent.com/cavi-au/Consent-O-Matic/master/rules/autodesk.json",
    "https://raw.githubusercontent.com/cavi-au/Consent-O-Matic/master/rules/autohero.json",

## inputs.conf
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist3 = EventCode="4688" Message="New Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi|optimize))\.exe)"
blacklist4 = EventCode="4689" Message="Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi|optimize))\.exe)"
	{
	"references": [
	"https://raw.githubusercontent.com/cavi-au/Consent-O-Matic/master/rules/asus.json",
	"https://raw.githubusercontent.com/cavi-au/Consent-O-Matic/master/rules/allekringloopwinkels.json",
	"https://raw.githubusercontent.com/cavi-au/Consent-O-Matic/master/rules/airbnb.json",
	"https://raw.githubusercontent.com/cavi-au/Consent-O-Matic/master/rules/arteradio.json",
	"https://raw.githubusercontent.com/cavi-au/Consent-O-Matic/master/rules/alandsbanken.json",
	"https://raw.githubusercontent.com/cavi-au/Consent-O-Matic/master/rules/admiral.json",
	"https://raw.githubusercontent.com/cavi-au/Consent-O-Matic/master/rules/autodesk.json",
	"https://raw.githubusercontent.com/cavi-au/Consent-O-Matic/master/rules/autohero.json",
	[WinEventLog://Security]
	disabled = 0
	start_from = oldest
	current_only = 0
	evt_resolve_ad_obj = 1
	checkpointInterval = 5
	blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
	blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
	blacklist3 = EventCode="4688" Message="New Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool\|splunkd\|splunk\|splunk\-(?:MonitorNoHandle\|admon\|netmon\|perfmon\|powershell\|regmon\|winevtlog\|winhostinfo\|winprintmon\|wmi\|optimize))\.exe)"
	blacklist4 = EventCode="4689" Message="Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool\|splunkd\|splunk\|splunk\-(?:MonitorNoHandle\|admon\|netmon\|perfmon\|powershell\|regmon\|winevtlog\|winhostinfo\|winprintmon\|wmi\|optimize))\.exe)"