From d1d056677317726280176529032fc5a50a955f40 Mon Sep 17 00:00:00 2001
From: Chris Long <clong@cl0ng.com>
Date: Sat, 18 Apr 2020 15:59:54 -0700
Subject: [PATCH] Add some Splunk nullQueues for noisy events

---
 Vagrant/resources/splunk_server/props.conf      |  6 +++++-
 Vagrant/resources/splunk_server/transforms.conf | 10 ++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/Vagrant/resources/splunk_server/props.conf b/Vagrant/resources/splunk_server/props.conf
index fc080c2..393bf08 100644
--- a/Vagrant/resources/splunk_server/props.conf
+++ b/Vagrant/resources/splunk_server/props.conf
@@ -21,4 +21,8 @@ TIME_FORMAT = %s
 TRUNCATE = 0
 
 [osquery:status]
-TRANSFORMS-null = setnull
\ No newline at end of file
+TRANSFORMS-null = setnull
+
+[WinEventLog]
+TRANSFORMS-null = osqueryd_wineventlog_null
+TRANSFORMS-null = autoruns_wineventlog_null
\ No newline at end of file
diff --git a/Vagrant/resources/splunk_server/transforms.conf b/Vagrant/resources/splunk_server/transforms.conf
index 89249ce..5e76d4c 100644
--- a/Vagrant/resources/splunk_server/transforms.conf
+++ b/Vagrant/resources/splunk_server/transforms.conf
@@ -17,4 +17,14 @@ FORMAT = host::$1
 [setnull]
 REGEX = Error\scasting
 DEST_KEY = queue
+FORMAT = nullQueue
+
+[osqueryd_wineventlog_null]
+REGEX = "Process_Name=C:\\Program Files\\osquery\\osqueryd\\osqueryd.exe"
+DEST_KEY = queue
+FORMAT = nullQueue
+
+[autoruns_wineventlog_null]
+REGEX = "Script\sName\s=\sC\:\\Program Files\\AutorunsToWinEventLog\\AutorunsToWinEventLog.ps1"
+DEST_KEY = queue
 FORMAT = nullQueue
\ No newline at end of file