Winlogbeat filtering problem

Hi,

What I want to do achieve is to send all events from the Security log except event id 4672 and 4627. This works well, but what I can't find out how to do, is make a rule that send event id 4627 only if it does not have a field called SubjectUserSid equal to S-1-0-0. My attempt:

winlogbeat.event_logs:
- name: Security
ignore_older: 24h
processors:
- drop_event.when.or:
- equals.winlog.event_id: 4672
- equals.winlog.event_id: 4627
- and:
- equals.winlog.event_data.SubjectUserSid: 'S-1-0-0'

My attempt still filter out all security events with id 4627.

I would really appreciate if someone could help me with this one.

Hello,

You can try something like this :

processors:
- drop_event.when.or:
  - equals.winlog.event_id: 4672
  - and:
    - equals.winlog.event_id: 4627
    - equals.winlog.event_data.SubjectUserSid: 'S-1-0-0'
1 Like

That did the trick! Thank you very much.