Smart Filters reduce the amount of data ingested into the Huntress SIEM by dropping logs that are not relevant to the Huntress security mission. This practice helps keep ingested log volume to a minimum, reducing cost and the potential for overages.
These logs have been identified by security experts and can be safely excluded, or "dropped" from ingestion. When adding Smart Filters, please keep in mind that because they exclude or drop logs, those logs will no longer be available for searching in hot storage, or in future cold storage rehydrations.
This list is frequently updated so please follow it to ensure awareness. If you have any questions or concerns about Smart Filters, please reach out to Support or your Account Manager.
Vendor | Product | Filter Criteria | Description |
|---|---|---|---|
Microsoft | Windows Security Events | EventID: 4656 | A handle to an object was requested |
Microsoft | Windows Security Events | EventID: 4658 | The handle to an object was closed |
Microsoft | Windows Security Events | EventID: 4661 | A handle to an object was requested |
Microsoft | Windows Security Events | EventID: 4662 | An operation was performed on an object |
Microsoft | Windows Security Events | EventID: 4663 | An attempt was made to access an object |
Microsoft | Windows Security Events | EventID: 4672 | Special privileges assigned to new logon |
Microsoft | Windows Security Events | EventID: 4673 | A privileged service was called |
Microsoft | Windows Security Events | EventID: 4674 | Privilege Use |
Microsoft | Windows Security Events | EventID: 4688 | A new process has been created |
Microsoft | Windows Security Events | EventID: 4689 | A process has exited |
Microsoft | Windows Security Events | EventID: 4690 | An attempt was made to duplicate a handle to an object |
Microsoft | Windows Security Events | EventID: 4703 | Policy Change |
Microsoft | Windows Security Events | EventID: 4798 | A user's local group membership was enumerated |
Microsoft | Windows Security Events | EventID: 4799 | A security-enabled local group membership was enumerated |
Microsoft | Windows Security Events | EventID: 4985 | The state of a transaction has changed |
Microsoft | Windows Security Events | EventID: 5145 | A network share object was checked to see whether the client can be granted desired access |
Microsoft | Windows Security Events | EventID: 5152 | The Windows Filtering Platform blocked a packet |
Microsoft | Windows Security Events | EventID: 5156 | The Windows Filtering Platform has allowed a connection |
Microsoft | Windows Security Events | EventID: 5158 | The Windows Filtering Platform has permitted a bind to a local port |
Microsoft | Windows Security Events | EventID: 5447 | A Windows Filtering Platform filter has been changed |
Microsoft | Windows Security Events | EventID: 5449 | A Windows Filtering Platform provider context has been changed |
Microsoft | Windows Application Events | EventID: 14000 | Microsoft ISA Server Job Scheduler Authentication Failed |
Microsoft | Windows Application Events | Source: ELAN/Service | Driver Updates |
Microsoft | Windows Application Events | Source: “Microsoft-Windows-RestartManager” EventID: 10000, 10001 | Start and End Session Events for the RestartManager |
Microsoft | Windows System Events | Source: “Microsoft-Windows-UserModePowerService” EventID: 12
| Windows Kernel Power Messaging |
Microsoft | Windows CodeIntegrity | Source: "Microsoft-Windows-CodeIntegrity" EventID: 3033, 3089 | The file under validation didn't meet the requirements to pass the App Control policy. This event contains signature information for files that were blocked or audit blocked by App Control. |
Microsoft | AppLocker | EventID: 8003 | Shown only when the Audit only enforcement mode is enabled. Indicates that the AppLocker policy would block the .exe or .dll file if the enforcement mode setting was Enforce rules. |
Microsoft | AppLocker | EventID: 8037 | Object passed Config CI policy and was allowed to run. |
Microsoft | AppLocker | EventID: 8041 | An application was allowed to run despite not explicitly matching any configured AppLocker rules. |
WatchGuard | Firewall | msg_id: 3000-0148 | Allowed/Denied Network Traffic |
Sophos | Firewall | messageid: 0001 | Firewall Network Allow |
Sophos | Firewall | messageid: 02002 | Firewall Appliance Access Denied |
SonicWall | Firewall | m: 98 | Connection Opened |
SonicWall | Firewall | m: 537 | Connection Closed |
FortiGate | Firewall | msg_id: 13, 15 | Traffic Forward |
FortiGate | Firewall | msg_id: 14, 16 | Traffic Local |
CodeIntegrity | CodeIntegrity | EventID: 3033 | Signing Level Requirement |
CodeIntegrity | CodeIntegrity | EventID: 3089 | App Control Signature |
| Cisco FTD/Cisco ASA | Firewall | Message ID: 305011 | Built dynamic NAT translation |
| Cisco FTD/Cisco ASA | Firewall | Message ID: 305012 | Teardown dynamic NAT translation |
| Cisco FTD/Cisco ASA | Firewall | Message ID: 302013 | Built inbound TCP connection |
| Cisco FTD/Cisco ASA | Firewall | Message ID: 302014 | Teardown TCP connection |
| Cisco FTD/Cisco ASA | Firewall | Message ID: 302015 | Built outbound UDP connection |
| Cisco FTD/Cisco ASA | Firewall | Message ID: 106001 | Inbound TCP connection denied |
| Cisco FTD/Cisco ASA | Firewall | Message ID: 106023 | IP packet denied by ACL |