This will get past the configuration check, but appears that it filters all events out.
I think the OR is what is tripping me up. The other posts I've studied are close, but I can't recreate a working solution.
The logic is:
drop_event.when.not:
(event id == 4624) -and (LogonType in [2,7,10])
or
(event id == 4634) -and (LogonType in [2,7,10])
or
event id == 4616
event id == 4625
event id == 4778
And this is my attempt:
- winlogbeat.event_logs:
- name: Security
tags: ["winlog_security"]
ignore_older: 24h
processors:
- drop_event.when.not:
-and:
equals.event_id: 4624
-and:
equals.winlog.event_data.LogonType: "2"
equals.winlog.event_data.LogonType: "7"
equals.winlog.event_data.LogonType: "10"
equals.event_id: 4634
-and:
equals.winlog.event_data.LogonType: "2"
equals.winlog.event_data.LogonType: "7"
equals.winlog.event_data.LogonType: "10"
-or:
equals.event_id: 4616
equals.event_id: 4625
equals.event_id: 4778