I am using Fleet to configure agent policies for windows servers.
I configure to get several security events 4624, 4625, 4771 and drop events when LogonType = 3
I ve configure procesor like this:
The result is no security channel events are ingested in Elasticsearch.
Hi,
Try changing your condition to compare winlog.event_data.LogonType to the string "3" instead:
drop_event:
when:
equals:
winlog.event_data.LogonType: "3"
Regards
Thanks!
Thats resolve the problem
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.