Filter out Windows proccesses

Thomas_Kucirek · May 9, 2019, 3:04pm

Hi, i want to filter the events collected by the winlogbeat. Because it is a lot of unwanted noise, i want to drop all events that come from the System32 processes like svchost, backGroundTaskhost etc.

I've tried using drop_event in different ways but it does not seem to work since it is still included in the output.
I tried several ways based on examples i found but none of them seem to do anything:

 - drop_event:
    when.or:
      - regexp.event_data.NewProcessName: 'C:\\Windows\\System32\\*'

  - drop_event:
     when:
       equals.event_data.ParentProcessName: ['C:\\Windows\\System32\\svchost.exe']


  - drop_event:
     when:
        contains:
           event_data.NewProcessName: ["C:\\Windows\\System32*"]

Any help for this is very much appreciated and i hope the formatting was ok.
Thanks

Thomas_Kucirek · May 9, 2019, 4:24pm

Ok I managed to work around it by filtering the message of the event for the System32 directory and drop the event if it is contained:

  - drop_event.when:
       contains.message: "C:\\Windows\\System32\\"

But later on i would like to drop the field message if possible so any further directions would be helpful.

system · June 6, 2019, 4:25pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.