Filter system logons

hello, in new version of 7.6.1 I have issue with filtering system logons which occur in events 4624 and 4634.
I tried this one with some modification

https://github.com/HASecuritySolutions/Logstash/blob/master/winlogbeat_example.yml
without succes , this one too :

    ignore_older: 72h
    processors:
    - drop_event.when.not.or:
      - equals.winlog.event_id: 4624
      - equals.winlog.event_id: 4634
      - contains.winlog.event_data.TargetUserName: "SYSTEM"'

this one too :

   - drop_event:
       when:
         and:
           - equals:
               winlog.event_id: 4624
           - regexp:
               winlog.event_data.TargetUserName: '.*\$''
  - name: Security
    ignore_older: 72h
    processors:
    - drop_event:
       when:
         equals:
           winlog.event_id: 4624
           winlog.event_id: 4634

please help

What should the filter do? Drop event ID 4624 or 4634 where TargetUserName is "SYSTEM"?

winlogbeat.event_logs:
- name: Security
  processors:
  - drop_event:
      when:
        and:
          - or:
            - equals.winlog.event_id: 4624
            - equals.winlog.event_id: 4634
          - equals.winlog.event_data.TargetUserName: "SYSTEM"

Many thanks, i wasn't so far :wink:
how can I add more users like SQLINSTANCE, adding this

winlogbeat.event_logs:
- name: Security
  processors:
  - drop_event:
      when:
        and:
          - or:
            - equals.winlog.event_id: 4624
            - equals.winlog.event_id: 4634
          - equals.winlog.event_data.TargetUserName: "SYSTEM"
          - equals.winlog.event_data.TargetUserName: "NAMESQL"

and modyfing like this
- equals.winlog.event_data.TargetUserName: "NAMESQL","SYSTEM"
doesn't work