Filter out Windows proccesses

Thomas_Kucirek · May 9, 2019, 3:04pm

Hi, i want to filter the events collected by the winlogbeat. Because it is a lot of unwanted noise, i want to drop all events that come from the System32 processes like svchost, backGroundTaskhost etc.

I've tried using drop_event in different ways but it does not seem to work since it is still included in the output.
I tried several ways based on examples i found but none of them seem to do anything:

 - drop_event:
    when.or:
      - regexp.event_data.NewProcessName: 'C:\\Windows\\System32\\*'

  - drop_event:
     when:
       equals.event_data.ParentProcessName: ['C:\\Windows\\System32\\svchost.exe']


  - drop_event:
     when:
        contains:
           event_data.NewProcessName: ["C:\\Windows\\System32*"]

Any help for this is very much appreciated and i hope the formatting was ok.
Thanks

Thomas_Kucirek · May 9, 2019, 4:24pm

Ok I managed to work around it by filtering the message of the event for the System32 directory and drop the event if it is contained:

  - drop_event.when:
       contains.message: "C:\\Windows\\System32\\"

But later on i would like to drop the field message if possible so any further directions would be helpful.

system · June 6, 2019, 4:25pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Cant filter out events? Beats winlogbeat	15	869	November 24, 2020
Drop_event not working via process name or path Beats winlogbeat	3	467	March 29, 2022
Would dropping events by regexp match be possible? Beats winlogbeat	3	598	January 17, 2020
Processor [drop_event] not dropping events Beats winlogbeat	9	9096	February 16, 2017
Filtering Winlogbeat on Event ID Beats winlogbeat	8	10032	July 5, 2017

Filter out Windows proccesses

Related Topics