diff --git a/imageroot/bin/expand-configuration b/imageroot/bin/expand-configuration
index de051a8..096e4fb 100755
--- a/imageroot/bin/expand-configuration
+++ b/imageroot/bin/expand-configuration
@@ -164,4 +164,4 @@ if whitelists:
 ## expand the tainted configuration files
 os.makedirs("crowdsec_config/hub/parsers/s01-parse/crowdsecurity", exist_ok=True)
 shutil.copyfile("../tainted/nextcloud-logs.yaml", "crowdsec_config/hub/parsers/s01-parse/crowdsecurity/nextcloud-logs.yaml")
-shutil.copyfile("../tainted/nethvoice-whitelist.yaml", "crowdsec_config/hub/parsers/s02-enrich/crowdsecurity/nethvoice-whitelist.yaml")
+shutil.copyfile("../tainted/nethvoice-whitelist-http-probing.yaml", "crowdsec_config/parsers/s02-enrich/nethvoice-whitelist-http-probing.yaml")
diff --git a/imageroot/tainted/nethvoice-whitelist-http-probing.yaml b/imageroot/tainted/nethvoice-whitelist-http-probing.yaml
index f736a78..992c8cb 100644
--- a/imageroot/tainted/nethvoice-whitelist-http-probing.yaml
+++ b/imageroot/tainted/nethvoice-whitelist-http-probing.yaml
@@ -13,3 +13,5 @@ whitelist:
    - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/freepbx/rest/mobiles'
    - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/freepbx/rest/nethlink'
    - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/freepbx/rest/mobileapp/'
+   - evt.Meta.http_status == '403' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/freepbx/rest/migration'
+   - evt.Meta.http_status == '403' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/freepbx/rest/login' # dangerous, this field is done by a user that has not been authenticated
diff --git a/imageroot/tainted/nethvoice-whitelist.yaml b/imageroot/tainted/nethvoice-whitelist.yaml
deleted file mode 100644
index 5ff5247..0000000
--- a/imageroot/tainted/nethvoice-whitelist.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
-name: crowdsecurity/nethvoice-whitelist
-description: "Whitelist events from nethvoice"
-filter: "evt.Parsed.program startsWith 'nethvoice'"
-whitelist:
-  reason: "nethvoice Whitelist"
-  expression:
-   - evt.Meta.http_status == '404'
-   - evt.Meta.http_status == '403'
-   - evt.Meta.http_status == '402'
-   - evt.Meta.http_status == '401'
-   - evt.Meta.http_status == '400'