In addition to the simple filter options, exclusion event filters exclude certain event types. Using this filter, you define the criteria of the events to exclude. You can use this filter activate a group of events and then exclude some of the events in that group.
This filter type is useful when you want to create a filter based on a severity or a category of events, but you want to exclude some specific event types. Instead of creating event filters for each event that you want to include, you can specify the event types that you want to exclude. By using exclusion event filters, it is easier to remove events that you do not want to monitor.
For example, using this filter type you can monitor the Windows® Security event log events, but exclude security alerts 528, 551, and 552.