I am trying to filter certain Windows Server events. I have the following code: if $EventID == '4737' AND $TargetSid == 'S-1-5-21-3629192509-3943823860-1568066966-20147' AND $SubjectUserSid == 'S-1-5-21-3629192509-3943823860-1568066966-20118' { drop(); } if $SubjectUserName == 'NETVAULT$' AND $SubjectUserSid == 'S-1-5-20' AND ($ProcessName == 'C:\Program Files (x86)\Quest\NetVault Backup\pgsql\bin\postgres.exe' OR $NewProcessName == 'C:\Program Files (x86)\Quest\NetVault Backup\pgsql\bin\postgres.exe') { drop(); } if $SubjectUserName == 'HVAC$' AND $SubjectUserSid == 'S-1-5-18' AND ($ProcessName == 'C:\Program Files (x86)\Delta Controls\enteliWEB\PostgreSQL\bin\postgres.exe' OR $NewProcessName == 'C:\Program Files (x86)\Delta Controls\enteliWEB\PostgreSQL\bin\postgres.exe') { drop(); } The first one says if the EventID, TargetSid, and SubjectUserSid are certain values, then drop the event. The second says that if the SubjectUserName and SubjectUserSid are certain values **and** either the ProcessName or NewProcessName are a certain value, then drop the event. The third basically is doing the same thing as the second one, except using different values. Do I have the syntax correct for this?

Yes, you're right - that what the three conditionals are supposed to do.

The syntax looks well, too, but let us know in case you have any issues.

Good luck!

Rafal