Hey @kubekpk,
I think the condition for event_id should be equals.winlog.event_id: 4624, as the event_id field is under a winlog object.
You can take a look to this topic, where a similar configuration is discussed: Filter system logons
Hey @kubekpk,
I think the condition for event_id should be equals.winlog.event_id: 4624, as the event_id field is under a winlog object.
You can take a look to this topic, where a similar configuration is discussed: Filter system logons
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.