-
Notifications
You must be signed in to change notification settings - Fork 203
Event ID Filtering
DustInDark edited this page Apr 21, 2022
·
1 revision
You can filter on event IDs by placing event ID numbers in config/target_eventids.txt.
This will increase performance so it is recommended if you only need to search for certain IDs.
We have provided a sample ID filter list at config/target_eventids_sample.txt created from the EventID fields in all of the rules as well as IDs seen in actual results.
Please use this list if you want the best performance but be aware that there is a slight possibility for missing events (false negatives).