Thank you.
I put in the below, and the config check says it is OK, but then I am still getting events outside of the allowed.
processors:
- drop_event.when.not.or:
- equals.event_id: 1102
- equals.event_id: 4618
- not.equals.event_id: 4624
- not.equals.event_id: 4625
- not.equals.event_id: 4648
- not.equals.event_id: 4649
- not.equals.event_id: 4657
- not.equals.event_id: 4672
- not.equals.event_id: 4692
- not.equals.event_id: 4693
- not.equals.event_id: 4694
- not.equals.event_id: 4706
- not.equals.event_id: 4714
- not.equals.event_id: 4724
- not.equals.event_id: 4735
- not.equals.event_id: 4740
- not.equals.event_id: 4892
- not.equals.event_id: 4896
- not.equals.event_id: 4897
- not.equals.event_id: 4963
- not.equals.event_id: 4964
- not.equals.event_id: 4964
- not.equals.event_id: 5030
- not.equals.event_id: 5124
- not.equals.event_id: 6272
- not.equals.event_id: 6273
- not.equals.event_id: 6274
- not.equals.event_id: 6275
- not.equals.event_id: 6276
- not.equals.event_id: 6277
- not.equals.event_id: 6278
- not.equals.event_id: 6279
- not.equals.event_id: 6280
- contains.event_data.param3: powershell.exe
- contains.event_data.param3: powershell_ise.exe