Help with Winlogbeat and filtering computer accounts

I have a few ELK stacks up and running but I'm getting a lot of false 'Admin User Sessions' which are the computer accounts eg computer$. I'm using Windows Event forwarding to send all security related events over to my winlogbeat system then ship them over to ELK.

I tried to drop some of the events but how do I drop these computer objects from showing up as normal users?

image

image

Thank you

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.