Winlogbeat filtering problem

jpeyton · September 11, 2020, 10:03am

Hi,

What I want to do achieve is to send all events from the Security log except event id 4672 and 4627. This works well, but what I can't find out how to do, is make a rule that send event id 4627 only if it does not have a field called SubjectUserSid equal to S-1-0-0. My attempt:

winlogbeat.event_logs:
- name: Security
ignore_older: 24h
processors:
- drop_event.when.or:
- equals.winlog.event_id: 4672
- equals.winlog.event_id: 4627
- and:
- equals.winlog.event_data.SubjectUserSid: 'S-1-0-0'

My attempt still filter out all security events with id 4627.

I would really appreciate if someone could help me with this one.

mazoutte · September 14, 2020, 7:28am

Hello,

You can try something like this :

processors:
- drop_event.when.or:
  - equals.winlog.event_id: 4672
  - and:
    - equals.winlog.event_id: 4627
    - equals.winlog.event_data.SubjectUserSid: 'S-1-0-0'

jpeyton · September 14, 2020, 8:30am

That did the trick! Thank you very much.

system · October 12, 2020, 10:30am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.