I want to drop events with the following conditions:
"If (event.id=(x or y) AND user.name=a) OR (event.id= z and process.name = 'cmd.exe') "
But I just can't figure out the conditions.
Do you have an example of your attempt? How far have you reached. Can you share the error too, please?