I have what was a simple winlogbeat drop:
- drop_event.when:
and:
- equals.event_id: 4688
- contains.message: "New Process Name"
- contains.message: "splunk"
I can't figure out in the doc how to put the equivalent in the custom windows event logs "custom configuration" field. It seems it should work there, but the link to conditional shows very confusing syntax.