Here's one of my inputs that works.

 [WinEventLog://Security]
 disabled = 0
 start_from = oldest
 current_only = 0
 evt_resolve_ad_obj = 1
 checkpointInterval = 5
 blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
 blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
 blacklist3 = EventCode="5156" Message="Application Name:\s+(?!.*splunkd.exe)"
 index = idx_security
 renderXml=false

I think in your case, you can just add

blacklist1 = EventCode="4634"

Assuming that 'EventCode' is a valid field.