I'm using latest winlogbeat with ECS and its shipping security events in Elasticsearch. I've created a local user on Windows machine without password and get error, that password does not compline with local policies.
In windows event viewer I see three events:
- event_id = 4720 - user created.
- event_id = 4729 - user was removed from a security-enabled global group.
- event_id = 4726 - user deleted.
If i create user correctly I have only one event with id 4720 and its fine.
How can I filter out "wrong created" users using elasticsearch query?