From ea511bd761573e8132bbe799dbd4fccc7f80f60f Mon Sep 17 00:00:00 2001
From: Tim Shelton <tshelton@hawkdefense.com>
Date: Mon, 6 Dec 2021 20:50:20 +0000
Subject: [PATCH] adding file event filter

---
 tools/config/hawk.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml
index 583e4421c..b640d833b 100644
--- a/tools/config/hawk.yml
+++ b/tools/config/hawk.yml
@@ -174,6 +174,12 @@ logsources:
    conditions:
      product_name: "Sysmon"
      vendor_id: "23"
+ windows-file-event:
+   product: windows
+   category: file_event
+   conditions:
+     product_name: "Sysmon"
+     vendor_id: 11
  windows-wmi-sysmon:
    product: windows
    category: wmi_event