What I want to do achieve is to send all events from the Security log except event id 4672 and 4627. This works well, but what I can't find out how to do, is make a rule that send event id 4627 only if it does not have a field called SubjectUserSid equal to S-1-0-0. My attempt:
- name: Security
- equals.winlog.event_id: 4672
- equals.winlog.event_id: 4627
- equals.winlog.event_data.SubjectUserSid: 'S-1-0-0'
My attempt still filter out all security events with id 4627.
I would really appreciate if someone could help me with this one.