How to add an exclude/include filter

Fine Tuning (Step 5 of 7)

Adjusting the filter

Now that we have the filter configured and assigned, our filter should notify us via email whenever notepad.exe is launched, right? Almost.

When we clicked "Add Include Filter" in the event log, EventSentry automatically created the filter with source, category, and event id. It is important to point out that several different events can write to the event logs with the same source, category, and event id. In this case, we would receive an email for every event that matched these elements, which would be each and every process created.

To avoid flooding your email target it is necessary to restrict this filter to only the events you want to receive. We know that the event we are looking for contains the word "notepad" in the event details, so we will add the word to the Filter Text surrounded by two wildcards. Then we will specify the process creator's account in the Username field.

This will notify the email target only when an event matches all specified event properties (event log, event severity, event source, event category, event id and event user) and contains the word notepad in the event details.