For reference on what works and what doesn't in processors in auditbeat.
Adding multiple conditions(like an OR condition) works fine like this:
processors:
- if:
equals:
process.executable: "/home/node_exporter"
then:
drop_event:
if:
equals:
destination.port: 5044
then:
drop_event:
else:
But if you try to combine multiple conditions under one IF, it fails. The below will fail:
processors:
- if:
equals:
process.executable: "/home/node_exporter"
then:
drop_event:
if:
or:
equals:
destination.port: 5044
equals:
destination.port: 8081
then:
drop_event:
else:
Likewise AND conditions also do not work
if:
and:
equals:
destination.port: 555
equals:
destination.ip: 3.3.3.3
then:
drop_event:
I will editing this to add more examples as I figure out the rules, since there are zero good examples of this provided by Elastic or seemingly published anywhere.
EDITED FOR SOME WORKING EXAMPLES.
This seems to work for multiple OR's.
processors:
- if:
or:
- equals:
process.executable: "/home/node_exporter"
- equals:
destination.port: 5044
- equals:
destination.port: 8081
- equals:
destination.ip: "127.0.0.53"
then:
drop_event:
And finally, here is how to add multiple nested or/and conditions
processors:
- if:
or:
- equals:
process.executable: "/home/node_exporter"
- equals:
destination.port: 5044
- equals:
destination.port: 8081
- equals:
destination.ip: "127.0.0.53"
- and:
- equals:
destination.port: 555
- or:
- equals:
destination.ip: 3.3.3.3
- equals:
destination.ip: 4.4.4.4
then:
drop_event: