Custom index filter

I am attempting to put specific messages from sysmon into their own index so I can apply a separate lifecycle policy to them. I thought I had this policy correct but it does not seem to be working properly.

The query I am looking for is "winlog.channel = Microsoft-Windows-Sysmon/Operational" AND (event.code = 1 OR event.code = 2 OR event.code = 5 OR event.code = 10 OR event.code = 25)

This is what I have that doesn't appear to be working:

- index: "winlogbeat-process-%{[agent.version]}"
      when:
         and:
            - equals:
                winlog.channel: "Microsoft-Windows-Sysmon/Operational"
            - or:
                - equals:
                    event.code: "1"
                - equals:
                    event.code: "2"
                - equals:
                    event.code: "5"
                - equals:
                    event.code: "10"
                - equals:
                    event.code: "25"

What would be the correct way to do this in the configuration file?

I have made a little progress but I am making sure this works properly. I think the format is more like "event.code: 1 or event.code: 5 or event.code:10 and winlog.channel: "Microsoft-Windows-Sysmon/Operational" instead of the format I wanted at the top. Maybe it is not possible:

- index: "winlogbeat-process-%{[agent.version]}"
      when:
         or:
            - equals:
                event.code: "1"
            - equals:
                event.code: "2"
            - equals:
                event.code: "5"
            - equals:
                event.code: "10"
            - equals:
                event.code: "25"
            - and:
                - equals:
                    winlog.channel: "Microsoft-Windows-Sysmon/Operational"

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.