4624 log stoms

I found this post Dropping logon events for computer accounts not working
where i says you should add the following lines

  • name: Security
    processors:
    • drop_event:
      when:
      and:
      - equals:
      event.code: 4624
      - regexp:
      winlog.event_data.TargetUserName: '.*$'

however i can't get it to work in my file listed below


winlogbeat.event_logs:

  • name: Application
    ignore_older: 72h

  • name: System
    event_id: 104,102,1102,4719,6005,7022,7023,7024,7025,7026,7031,7032,7034,7045,4697,7022,7023,104,6

  • name: Security
    event_id: 4740,4728,4732,4756,4735,4724,4625,4648,1102,4624,5038,6281,4767
    processors:

  • drop_event:
    when:
    and:
    - equals:
    event.code: 4624
    - regexp:
    winlog.event_data.TargetUserName: '.*$'

  • name: Microsoft-Windows-Sysmon/Operational

  • name: Windows PowerShell

  • name: Microsoft-Windows-Sysmon/Operational

  • name: Microsoft-Windows-PowerShell/Operational