From 769dabf8a62afedc882caa36ddccd143ae2a876d Mon Sep 17 00:00:00 2001
From: Chris Long <clong@cl0ng.com>
Date: Wed, 12 Aug 2020 23:02:59 -0700
Subject: [PATCH] Update transforms.conf

---
 Vagrant/resources/splunk_server/transforms.conf | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/Vagrant/resources/splunk_server/transforms.conf b/Vagrant/resources/splunk_server/transforms.conf
index 0f9b468..cdf7ff3 100644
--- a/Vagrant/resources/splunk_server/transforms.conf
+++ b/Vagrant/resources/splunk_server/transforms.conf
@@ -23,3 +23,15 @@ FORMAT = nullQueue
 REGEX = "Script\sName\s=\sC\:\\Program Files\\AutorunsToWinEventLog\\AutorunsToWinEventLog.ps1"
 DEST_KEY = queue
 FORMAT = nullQueue
+
+[removeEventDesc1]
+LOOKAHEAD = 20000
+REGEX = (?msi)(.*)This event is generated
+DEST_KEY = _raw
+FORMAT = $1
+
+[removeEventDesc2]
+LOOKAHEAD = 20000
+REGEX = (?msi)(.*)The subject fields indicate
+DEST_KEY = _raw
+FORMAT = $1