I found this post Dropping logon events for computer accounts not working
where i says you should add the following lines
- name: Security
processors:- drop_event:
when:
and:
- equals:
event.code: 4624
- regexp:
winlog.event_data.TargetUserName: '.*$'
- drop_event:
however i can't get it to work in my file listed below
winlogbeat.event_logs:
-
name: Application
ignore_older: 72h -
name: System
event_id: 104,102,1102,4719,6005,7022,7023,7024,7025,7026,7031,7032,7034,7045,4697,7022,7023,104,6 -
name: Security
event_id: 4740,4728,4732,4756,4735,4724,4625,4648,1102,4624,5038,6281,4767
processors: -
drop_event:
when:
and:
- equals:
event.code: 4624
- regexp:
winlog.event_data.TargetUserName: '.*$' -
name: Microsoft-Windows-Sysmon/Operational
-
name: Windows PowerShell
-
name: Microsoft-Windows-Sysmon/Operational
-
name: Microsoft-Windows-PowerShell/Operational