You should use [WMI:WinEventLog:Security] in props.conf
Also, if you are collecting events on local machine, consider using WinEventLog instead of WMI. You can specify black/whitelist in inputs.conf.
http://docs.splunk.com/Documentation/Splunk/6.1.3/Admin/Inputsconf
... View more