Struggling with Drop_Event Processor Syntax and Structure

I'm struggling to get the proper syntax and structure for the following criteria for dropping a specific security log event in Winlogbeat. I can create something that passes the configuration check but it doesn't produce the desired results. Following is a text description of what I'm trying to do. What would be the equivalent drop_event processor?

Drop event when event.code = 6488 and winlog.event_data.SubjectUserName = '.$' and winglog.event_data.TokenElevationType is not '%%1937' and process.parent.name is not 'cmd.exe' or 'powershell.'

I've looked for similar examples in this forum but haven't found anything.

Hi! I did not test this but I'm thinking something like this:

processors:
  - drop_event:
      when:
        and:
           - equals:
               event.code: 6488
           - equals:
               winlog.event_data.SubjectUserName: .$
           - not.equals:
               winglog.event_data.TokenElevationType: %%1937
           - or:
             - not.equals: process.parent.name: cmd.exe
             - not.equals: process.parent.name: powershell

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.