[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = true
renderXml = 1
source = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
# Prevent forwarding of multiple DNSQuery logs based on complex rule groups
# blacklist1 = EventCode="^22$" Message="(?i)QueryName:\s+(.*\.arpa\.)\s+QueryStatus:\s+(\d+)\s+QueryResults:\s+(.*)\s+Image:\s+(c:\\windows\\sysmon\.exe)$"
# blacklist2 = EventCode="^22$" Message="(?i)QueryName:\s+(HelloWorld.local)\s+QueryStatus:\s+(\d+)\s+QueryResults:\s+(.*)\s+Image:\s+(c:\\windows\\system32\\ping\.exe)$”