Hello! So, we're looking to forward windows Firewall logs via WinLogBeat, into LogStash, for review/security. My desire is, however, to 'drop' 'known blocks'; that is, for example, we're going to block TCP 137. This is easy, it's doable, but the end result is we get a ton of 137 blocks; this is expected, but I don't want them; I know I'm dropping 137. I cannot, however, figure out how to block "CONTENT" of EventIDs. Here's my WinLogBeat config:
winlogbeat.event_logs:
- name: Security
event_id: 5031,5154,5155,5156,5157,5158,5159
level: critical, error, warning, information
ignore_older: 48h
My struggle is the processor side, I've tried every variation I can think of, and we still get port 137. Here's what the resultant info looks like; scrubbed of any company info.
{"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","channel":"Security","event_data":{"LayerName":"%%14610","DestAddress":"10.206.101.255","ProcessID":"4","DestPort":"137","SourceAddress":"10.206.100.124","FilterRTID":"483314","SourcePort":"137","LayerRTID":"44","RemoteMachineID":"S-1-0-0","RemoteUserID":"S-1-0-0","Application":"System","Direction":"%%14592","Protocol":"17"},"computer_name":"COMPUTER.DOMAIN.NET","version":1,"task":"Filtering Platform Connection","record_id":13006577,"process":{"pid":4,"thread":{"id":216}},"event_id":5157,"provider_guid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","api":"wineventlog","keywords":["Audit Failure"],"opcode":"Info"},"event":{"action":"Filtering Platform Connection","kind":"event","created":"2019-07-29T18:29:37.094Z","code":5157},"log":{"level":"information"},"@timestamp":"2019-07-29T18:29:35.988Z","ecs":{"version":"1.0.0"},"host":{"name":"LOH0015VPB4Q2","hostname":"COMPUTERNAME","architecture":"x86_64","os":{"family":"windows","name":"Windows 10 Pro","kernel":"10.0.18362.267 (WinBuild.160101.0800)","platform":"windows","version":"10.0","build":"18362.267"},"id":"3e005dd5-f907-415c-a0e5-dcbe462d4660"},"agent":{"hostname":"COMPUTERNAME","version":"7.2.0","ephemeral_id":"a51b70ff-fd2e-407e-b1c7-78abcea26f45","id":"b5ec3305-c70c-4a98-9916-1b8808c8a769","type":"winlogbeat"},"message":"The Windows Filtering Platform has blocked a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t10.206.100.124\n\tSource Port:\t\t137\n\tDestination Address:\t10.206.101.255\n\tDestination Port:\t\t137\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t483314\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44","@version":"1"}
My hope/desire is to filter off of either "SourcePort:137", or "Source Port:\t\t137"; I don't really care. Once I know how to filter off one, I can filter off others 
Thanks!