I want to drop events with the following conditions:
"If (event.id=(x or y) AND user.name=a) OR (event.id= z and process.name = 'cmd.exe') "
But I just can't figure out the conditions.
Do you have an example of your attempt? How far have you reached. Can you share the error too, please?
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.