I'm struggling to get the proper syntax and structure for the following criteria for dropping a specific security log event in Winlogbeat. I can create something that passes the configuration check but it doesn't produce the desired results. Following is a text description of what I'm trying to do. What would be the equivalent drop_event processor?
Drop event when event.code = 6488 and winlog.event_data.SubjectUserName = '.$' and winglog.event_data.TokenElevationType is not '%%1937' and process.parent.name is not 'cmd.exe' or 'powershell.'
I've looked for similar examples in this forum but haven't found anything.