Hello everyone,
I want to have control of log events using Winlogbeat with parsing event with id 4663, winlog.event_data.AccessMask's and winlog.event_data.AccessList's
winlog.event_data.AccessMask: "0x10000"
winlog.event_data.AccessMask: "0x20"
winlog.event_data.AccessMask: "0x4"
winlog.event_data.AccessMask: "0x2"
winlog.event_data.AccessMask: "0x40"
winlog.event_data.AccessList: "%%4417"
winlog.event_data.AccessList: "%%4418"
winlog.event_data.AccessList: "%%4420"
winlog.event_data.AccessList: "%%4422"
winlog.event_data.AccessList: "%%4424"
winlog.event_data.AccessList: "%%1537"
winlog.event_data.AccessList: "%%1539"
winlog.event_data.AccessList: "%%1540"
winlog.event_data.AccessMask > ok
winlog.event_data.AccessList > (# commented) is not working 
..from winlogbeat.yml
winlogbeat.event_logs:
- name: Security
event_id: 4663
processors:
- drop_event.when.not.or:
- equals.winlog.event_id: 4663
- equals.winlog.event_data.AccessMask: "0x10000"
- equals.winlog.event_data.AccessMask: "0x20"
- equals.winlog.event_data.AccessMask: "0x4"
- equals.winlog.event_data.AccessMask: "0x2"
- equals.winlog.event_data.AccessMask: "0x40"
# - equals.winlog.event_data.AccessList: "%%4417"
# - equals.winlog.event_data.AccessList: "%%4418"
# - equals.winlog.event_data.AccessList: "%%4420"
# - equals.winlog.event_data.AccessList: "%%4422"
# - equals.winlog.event_data.AccessList: "%%4424"
# - equals.winlog.event_data.AccessList: "%%1537"
# - equals.winlog.event_data.AccessList: "%%1539"
# - equals.winlog.event_data.AccessList: "%%1540"
Please, What am I doing wrong?
Thank you very much in advance!