Winlogbeat filtering problem

jpeyton · September 11, 2020, 10:03am

Hi,

What I want to do achieve is to send all events from the Security log except event id 4672 and 4627. This works well, but what I can't find out how to do, is make a rule that send event id 4627 only if it does not have a field called SubjectUserSid equal to S-1-0-0. My attempt:

winlogbeat.event_logs:
- name: Security
ignore_older: 24h
processors:
- drop_event.when.or:
- equals.winlog.event_id: 4672
- equals.winlog.event_id: 4627
- and:
- equals.winlog.event_data.SubjectUserSid: 'S-1-0-0'

My attempt still filter out all security events with id 4627.

I would really appreciate if someone could help me with this one.

mazoutte · September 14, 2020, 7:28am

Hello,

You can try something like this :

processors:
- drop_event.when.or:
  - equals.winlog.event_id: 4672
  - and:
    - equals.winlog.event_id: 4627
    - equals.winlog.event_data.SubjectUserSid: 'S-1-0-0'

jpeyton · September 14, 2020, 8:30am

That did the trick! Thank you very much.

system · October 12, 2020, 10:30am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filter system logons Beats winlogbeat	11	1985	May 13, 2020
Winlogbeat - drop_event (multiple event ID's with specific rules) Beats winlogbeat	6	1179	November 18, 2020
Winlogbeat and drop_event filter Beats winlogbeat	5	4946	May 9, 2017
Filtering by event id Beats winlogbeat	3	3170	July 25, 2018
Winlogbeat removes the event_id of - 4624 and - 4634 in event_logs, but it is still collected when kibana queries data. What else do you need to set up? Beats winlogbeat	2	762	February 24, 2019

Winlogbeat filtering problem

Related topics