/
exclude_ads.xml
106 lines (106 loc) · 8.99 KB
/
exclude_ads.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
<Sysmon schemaversion="4.22">
<!-- special thanks to @SwiftOnSecurity for this -->
<HashAlgorithms>*</HashAlgorithms>
<CheckRevocation/>
<EventFiltering>
<RuleGroup name="" groupRelation="or">
<DnsQuery onmatch="exclude">
<QueryName condition="end with">.1rx.io</QueryName> <!--Ads-->
<QueryName condition="end with">.2mdn.net</QueryName> <!--Ads: Google | Microsoft default exclusion-->
<QueryName condition="end with">.adadvisor.net</QueryName> <!--Ads: Neustar [ https://better.fyi/trackers/adadvisor.net/ ] -->
<QueryName condition="end with">.adap.tv</QueryName> <!--Ads:AOL | Microsoft default exclusion [ https://www.crunchbase.com/organization/adap-tv ] -->
<QueryName condition="end with">.addthis.com</QueryName> <!--Ads:Oracle | Microsoft default exclusion [ https://en.wikipedia.org/wiki/AddThis ] -->
<QueryName condition="end with">.adform.net</QueryName> <!--Ads-->
<QueryName condition="end with">.adnxs.com</QueryName> <!--Ads: AppNexus | Microsoft default exclusion-->
<QueryName condition="end with">.adroll.com</QueryName> <!--Ads-->
<QueryName condition="end with">.adrta.com</QueryName> <!--Ads-->
<QueryName condition="end with">.adsafeprotected.com</QueryName> <!--Ads-->
<QueryName condition="end with">.adsrvr.org</QueryName> <!--Ads-->
<QueryName condition="end with">.advertising.com</QueryName> <!--Ads | Microsoft default exclusion-->
<QueryName condition="end with">.amazon-adsystem.com</QueryName> <!--Ads-->
<QueryName condition="end with">.amazon-adsystem.com</QueryName> <!--Ads-->
<QueryName condition="end with">.analytics.yahoo.com</QueryName> <!--Ads:Yahoo-->
<QueryName condition="end with">.aol.com</QueryName> <!--Ads | Microsoft default exclusion -->
<QueryName condition="end with">.betrad.com</QueryName> <!--Ads | Microsoft default exclusion-->
<QueryName condition="end with">.bidswitch.net</QueryName> <!--Ads-->
<QueryName condition="end with">.casalemedia.com</QueryName> <!--Ads | Microsoft default exclusion-->
<QueryName condition="end with">.chartbeat.net</QueryName> <!--Ads | Microsoft default exclusion [ https://better.fyi/trackers/chartbeat.com/ ]-->
<QueryName condition="end with">.cnn.com</QueryName> <!-- Microsoft default exclusion-->
<QueryName condition="end with">.convertro.com</QueryName> <!--Ads:Verizon-->
<QueryName condition="end with">.criteo.com</QueryName> <!--Ads [ https://better.fyi/trackers/criteo.com/ ] -->
<QueryName condition="end with">.criteo.net</QueryName> <!--Ads [ https://better.fyi/trackers/criteo.com/ ] -->
<QueryName condition="end with">.crwdcntrl.net</QueryName> <!--Ads: Lotame [ https://better.fyi/trackers/crwdcntrl.net/ ] -->
<QueryName condition="end with">.demdex.net</QueryName> <!--Ads | Microsoft default exclusion-->
<QueryName condition="end with">.domdex.com</QueryName>
<QueryName condition="end with">.dotomi.com</QueryName> <!--Ads | Microsoft default exclusion-->
<QueryName condition="end with">.doubleclick.net</QueryName> <!--Ads:Conversant | Microsoft default exclusion [ https://www.crunchbase.com/organization/dotomi ] -->
<QueryName condition="end with">.doubleverify.com</QueryName> <!--Ads: Google-->
<QueryName condition="end with">.emxdgt.com</QueryName> <!--Ads: EMX-->
<QueryName condition="end with">.exelator.com</QueryName> <!--Ads:Nielson Marketing Cloud-->
<QueryName condition="end with">.google-analytics.com</QueryName> <!--Ads:Google | Microsoft default exclusion-->
<QueryName condition="end with">.googleadservices.com</QueryName> <!--Google-->
<QueryName condition="end with">.googlesyndication.com</QueryName> <!--Ads:Google, sometimes called during malicious ads, but not directly responsible | Microsoft default exclusion [ https://www.hackread.com/wp-content/uploads/2018/06/Bitdefender-Whitepaper-Zacinlo.pdf ]-->
<QueryName condition="end with">.googletagmanager.com</QueryName> <!--Google-->
<QueryName condition="end with">.googlevideo.com</QueryName> <!--Google | Microsoft default exclusion-->
<QueryName condition="end with">.gstatic.com</QueryName> <!--Google | Microsoft default exclusion-->
<QueryName condition="end with">.gvt1.com</QueryName> <!--Google-->
<QueryName condition="end with">.gvt2.com</QueryName> <!--Google-->
<QueryName condition="end with">.ib-ibi.com</QueryName> <!--Ads: Offerpath [ https://better.fyi/trackers/ib-ibi.com/ ] -->
<QueryName condition="end with">.jivox.com</QueryName> <!--Ads-->
<QueryName condition="end with">.mathtag.com</QueryName> <!--Microsoft default exclusion-->
<QueryName condition="end with">.moatads.com</QueryName> <!--Ads | Microsoft default exclusion-->
<QueryName condition="end with">.moatpixel.com</QueryName> <!--Ads | Microsoft default exclusion-->
<QueryName condition="end with">.mookie1.com</QueryName> <!--Ads-->
<QueryName condition="end with">.myvisualiq.net</QueryName> <!--Ads-->
<QueryName condition="end with">.netmng.com</QueryName> <!--Ads-->
<QueryName condition="end with">.nexac.com</QueryName> <!--Ads | Microsoft default exclusion-->
<QueryName condition="end with">.openx.net</QueryName> <!--Ads-->
<QueryName condition="end with">.optimizely.com</QueryName> <!--Ads-->
<QueryName condition="end with">.outbrain.com</QueryName> <!--Ads-->
<QueryName condition="end with">.pardot.com</QueryName> <!--Ads-->
<QueryName condition="end with">.phx.gbl</QueryName> <!--Ads | Microsoft default exclusion-->
<QueryName condition="end with">.pinterest.com</QueryName> <!--Pinerest-->
<QueryName condition="end with">.pubmatic.com</QueryName> <!--Ads | Microsoft default exclusion-->
<QueryName condition="end with">.quantcount.com</QueryName>
<QueryName condition="end with">.quantserve.com</QueryName>
<QueryName condition="end with">.revsci.net</QueryName> <!--Ads:Omniture | Microsoft default exclusion-->
<QueryName condition="end with">.rfihub.net</QueryName> <!--Ads | Microsoft default exclusion-->
<QueryName condition="end with">.rlcdn.com</QueryName> <!--Ads: Rapleaf [ https://better.fyi/trackers/rlcdn.com/ ] -->
<QueryName condition="end with">.rubiconproject.com</QueryName> <!--Ads: Rubicon Project | Microsoft default exclusion [ https://better.fyi/trackers/rubiconproject.com/ ] -->
<QueryName condition="end with">.scdn.co</QueryName> <!--Spotify-->
<QueryName condition="end with">.scorecardresearch.com</QueryName> <!--Ads: Comscore | Microsoft default exclusion-->
<QueryName condition="end with">.serving-sys.com</QueryName> <!--Ads | Microsoft default exclusion-->
<QueryName condition="end with">.sharethrough.com</QueryName> <!--Ads-->
<QueryName condition="end with">.simpli.fi</QueryName>
<QueryName condition="end with">.sitescout.com</QueryName> <!--Ads-->
<QueryName condition="end with">.smartadserver.com</QueryName> <!--Ads-->
<QueryName condition="end with">.snapads.com</QueryName> <!--Ads-->
<QueryName condition="end with">.spotxchange.com</QueryName> <!--Ads-->
<QueryName condition="end with">.taboola.com</QueryName> <!--Ads:Taboola-->
<QueryName condition="end with">.taboola.map.fastly.net</QueryName> <!--Ads:Taboola-->
<QueryName condition="end with">.tapad.com</QueryName>
<QueryName condition="end with">.tidaltv.com</QueryName> <!--Ads: Videology [ https://better.fyi/trackers/tidaltv.com/ ] -->
<QueryName condition="end with">.trafficmanager.net</QueryName> <!--Ads | Microsoft default exclusion-->
<QueryName condition="end with">.tremorhub.com</QueryName> <!--Ads-->
<QueryName condition="end with">.tribalfusion.com</QueryName> <!--Ads: Exponential [ https://better.fyi/trackers/tribalfusion.com/ ] -->
<QueryName condition="end with">.turn.com</QueryName> <!--Ads | Microsoft default exclusion [ https://better.fyi/trackers/turn.com/ ] -->
<QueryName condition="end with">.twimg.com</QueryName> <!--Ads | Microsoft default exclusion-->
<QueryName condition="end with">.tynt.com</QueryName> <!--Ads-->
<QueryName condition="end with">.w55c.net</QueryName> <!--Ads:dataxu-->
<QueryName condition="end with">.ytimg.com</QueryName> <!--Google-->
<QueryName condition="end with">.zorosrv.com</QueryName> <!--Ads:Taboola-->
<QueryName condition="is">1rx.io</QueryName> <!--Ads-->
<QueryName condition="is">adservice.google.com</QueryName> <!--Google-->
<QueryName condition="is">ampcid.google.com</QueryName> <!--Google-->
<QueryName condition="is">clientservices.googleapis.com</QueryName> <!--Google-->
<QueryName condition="is">googleadapis.l.google.com</QueryName> <!--Google-->
<QueryName condition="is">imasdk.googleapis.com</QueryName> <!--Google [ https://developers.google.com/interactive-media-ads/docs/sdks/html5/ ] -->
<QueryName condition="is">l.google.com</QueryName> <!--Google-->
<QueryName condition="is">ml314.com</QueryName> <!--Ads-->
<QueryName condition="is">mtalk.google.com</QueryName> <!--Google-->
<QueryName condition="is">update.googleapis.com</QueryName> <!--Google-->
<QueryName condition="is">www.googletagservices.com</QueryName> <!--Google-->
</DnsQuery>
</RuleGroup>
</EventFiltering>
</Sysmon>