winlogbeat.yml
# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
output.logstash:
hosts: [\"graylog.lab.lan:5044\"]
path.data: C:\\Program Files\\Graylog\\sidecar\\cache\\winlogbeat\\data
path.logs: C:\\Program Files\\Graylog\\sidecar\\logs
path.module: C:\\Program Files\\Graylog\\sidecar\\module
winlogbeat.event_logs:
#FileSystem Monitor
- name: Security
event_id: 4656, 4663, 4670, 4907
ignore_older: 24h
tags: [filesystem]
processors:
- script:
lang: javascript
id: security
file: C:\\Program Files\\Graylog\\sidecar\\module\\security\\config\\winlogbeat-security.js
- drop_event.when.not.or:
- equals.winlog.event_data.ObjectType: \"File\"
- drop_event.when.or:
- regexp.winlog.event_data.winlog_task: 'Authorization Policy Change'
- regexp.winlog.event_data.winlog_task: 'Audit Policy Change'
- equals.winlog.event_data.winlog_task: \"Registry\"
- equals.winlog.event_data.winlog_task: \"Kernel Object\"
- equals.winlog.event_data.SubjectUserSid: 'S-1-5-18'
- equals.winlog.event_data.SubjectUserSid: 'S-1-5-19'
#cant see the diff between human/computer action opening a folder, too many logs
- regexp.winlog.event_data.AccessList: '^%%4416.*'
# dont need to know who read which permission
- regexp.winlog.event_data.AccessList: '^%%1538.*'
- regexp.winlog.event_data.AccessList: '^%%1539.*'
- regexp.winlog.event_data.AccessList: '^%%1542.*'
#we dont need to monitor synchronize status event
- regexp.winlog.event_data.AccessList: '^%%1541.*'
#we do not need to know who read/write extended attribute
- regexp.winlog.event_data.AccessList: '^%%4419.*'
- regexp.winlog.event_data.AccessList: '^%%4420.*'
#computers always executing dll which gives too many logs
- regexp.winlog.event_data.AccessList: '^%%4421.*'
#too many logs for ReadAttributes event, on everyaction, it reads attribute
- regexp.winlog.event_data.AccessList: '^%%4423.*'
- regexp.winlog.event_data.AccessList: '^%%4424.*'
#dont need to know some activites automated by the system using user permission
- regexp.winlog.event_data.ObjectName: '^(?i)C\\:\\\\Users\\\\[a-zA-Z0-9._~-]+\\\\AppData\\\\Local\\\\Microsoft\\\\Windows.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\\:\\\\Users\\\\[a-zA-Z0-9._~-]+\\\\AppData\\\\Local\\\\Microsoft\\\\PenWorkspace.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\\:\\\\Users\\\\[a-zA-Z0-9._~-]+\\\\AppData\\\\Local\\\\Microsoft\\\\CLR_v4.0.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\\:\\\\Users\\\\[a-zA-Z0-9._~-]+\\\\AppData\\\\Local\\\\Microsoft\\\\Internet Explorer\\\\CacheStorage.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\\:\\\\Users\\\\[a-zA-Z0-9._~-]+\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\Recent\\\\AutomaticDestinations.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\\:\\\\Users\\\\[a-zA-Z0-9._~-]+\\\\AppData\\\\Local\\\\Packages.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\\:\\\\Users\\\\[a-zA-Z0-9._~-]+\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\\:\\\\Users\\\\[a-zA-Z0-9._~-]+\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\SetupMetrics.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\\:\\\\Users\\\\[a-zA-Z0-9._~-]+\\\\AppData\\\\Local\\\\BraveSoftware\\\\Brave-Browser\\\\User Data.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\\:\\\\Users\\\\[a-zA-Z0-9._~-]+\\\\AppData\\\\Local\\\\Microsoft\\\\Edge\\\\User Data.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\\:\\\\Users\\\\[a-zA-Z0-9._~-]+\\\\AppData\\\\Local\\\\Mozilla\\\\Firefox\\\\Profiles\\\\[a-zA-Z0-9._~-]+\\\\cache2.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\\:\\\\Users\\\\[a-zA-Z0-9._~-]+\\\\AppData\\\\Local\\\\Temp.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\\:\\\\Users\\\\[a-zA-Z0-9._~-]+\\\\AppData\\\\Local\\\\D3DSCache.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\\:\\\\Windows\\\\ServiceProfiles\\\
etworkService\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\DeliveryOptimization.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\\:\\\\ProgramData\\\
VIDIA Corporation\\\\Drs.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\\:\\\\ProgramData\\\\USOShared\\\\Logs.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\\:\\\\Windows\\\\Logs.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\\:\\\\Windows\\\\System32\\\\LogFiles.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\\:\\\\Users\\\\[a-zA-Z0-9._~-]+\\\\AppData\\\\Local\\\\Microsoft\\\\Token\\\\Cache.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\\:\\\\Users\\\\[a-zA-Z0-9._~-]+\\\\AppData\\\\Roaming\\\\Microsoft.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\\:\\\\Users\\\\[a-zA-Z0-9._~-]+\\\\AppData\\\\LocalLow\\\\Microsoft\\\\CryptnetUrlCache.*'
#dont need to know recycle bin activites, we already have the Delete event (%%1537)
- regexp.winlog.event_data.ObjectName: '^(?i)C\\:\\\\\\$Recycle.Bin.*'
##### ******* Windows OS ******** #######
- name: Security
event_id: 4608, 4610, 4611, 4614, 4622, 4697, 4719, 4817, 4826, 4902, 4904, 4905, 4906, 4908, 4912
ignore_older: 48h
tags: [windowsos]
processors:
- script:
lang: javascript
id: security
file: C:\\Program Files\\Graylog\\sidecar\\module\\security\\config\\winlogbeat-security.js
- drop_event.when:
and:
- equals.winlog.event_data.SubjectUserSid: 'S-1-5-18'
- name: System
event_id: 12, 13, 1074
ignore_older: 24h
tags: [windowsos]
provider:
- Microsoft-Windows-Kernel-General
- USER32
- name: System
event_id: 16962, 16965, 16968, 16969, 41, 1001, 6008, 4621
ignore_older: 24h
tags: [windowsos]
- name: Microsoft-Windows-SMBServer/Audit
event_id: 3000
ignore_older: 24h
tags: [windowsos]
provider:
- Microsoft-Windows-SMBServer
##### ******* Windows USB ******** #######
- name: Microsoft-Windows-DriverFrameworks-UserMode/Operational
level: 'critical, error'
event_id: 2003, 2102
ignore_older: 24h
tags: [windowsusb]
- name: Microsoft-Windows-Kernel-PnP/Configuration
tags: [windowsusb]
processors:
- drop_event.when.not:
and:
- equals.winlog.event_data.DriverName: \""usbstor.inf"\"
event_id: 400, 410
ignore_older: 24h
tags: [windowsusb]
level: information
provider:
- Microsoft-Windows-Kernel-PnP
- name: Security
event_id: 6416, 6419-6424
ignore_older: 24h
tags: [windowsusb]
processors:
- script:
lang: javascript
id: security
file: C:\\Program Files\\Graylog\\sidecar\\module\\security\\config\\winlogbeat-security.js
- drop_event.when.or:
- regexp.winlog.event_data.DeviceDescription: '^Microsoft Print to PDF.*'
- regexp.winlog.event_data.DeviceDescription: '^Microsoft XPS Document Writer.*'
- regexp.winlog.event_data.DeviceDescription: '^Generic Non-PnP Monitor.*'
##### ******* Windows Registry ******** #######
- name: Security
event_id: 4657
ignore_older: 24h
tags: [windowsregistry]
processors:
- script:
lang: javascript
id: security
file: C:\\Program Files\\Graylog\\sidecar\\module\\security\\config\\winlogbeat-security.js
- drop_event.when.not.or:
- equals.winlog.event_data.OperationType: '%%1904'
- equals.winlog.event_data.OperationType: '%%1905'
- equals.winlog.event_data.OperationType: '%%1906'
- drop_event.when.not.or:
- regexp.winlog.event_data.ObjectName: '(?i)^\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Group Policy\\\\Scripts\\\\Startup.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Group Policy\\\\Scripts\\\\Shutdown.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\AlternateShell.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\\\REGISTRY\\\\USER\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\\\REGISTRY\\\\USER\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Active Setup\\\\Installed Components.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\SharedTaskScheduler.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\SharedTaskScheduler.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\ShellServiceObjects.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\ShellServiceObjects.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\ShellServiceObjectDelayLoad.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\ShellServiceObjectDelayLoad.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Classes\\\\Drive\\\\ShellEx\\\\ContextMenuHandlers.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Classes\\\\Directory\\\\ShellEx\\\\ContextMenuHandlers.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Classes\\\\Directory\\\\ShellEx\\\\DragDropHandlers.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Classes\\\\Directory\\\\ShellEx\\\\CopyHookHandlers.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Classes\\\\Directory\\\\Background\\\\ShellEx\\\\ContextMenuHandlers.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Classes\\\\Folder\\\\ShellEx\\\\ContextMenuHandlers.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Classes\\\\Folder\\\\ShellEx\\\\DragDropHandlers.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\ShellIconOverlayIdentifiers.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\ShellIconOverlayIdentifiers.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\WinLogon\\\\GPExtensions.*'
##### ******* Windows Firewall ******** #######
- name: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
event_id: 2002, 2004, 2005, 2006, 2009, 2033, 2099, 2097, 2010
ignore_older: 24h
tags: [windowsfirewall]
level: err, info
provider:
- Microsoft-Windows-Windows Firewall With Advanced Security
- name: Security
event_id: 4944-4954, 4956-4958, 5024, 5025, 5037, 5027-5030, 5032-5035, 5031, 5150, 5151, 5154-5157, 5159
ignore_older: 24h
tags: [windowsfirewall]
processors:
- script:
lang: javascript
id: security
file: C:\\Program Files\\Graylog\\sidecar\\module\\security\\config\\winlogbeat-security.js
- drop_event.when.or:
- regexp.winlog.event_data.DestAddress: '239.255.255.250'
- regexp.winlog.event_data.DestAddress: '((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:)))(%.+)?'
- regexp.winlog.event_data.Application: 'dns.exe'
##### ******* Windows Service ******** #######
- name: System
event_id: 7022-7024, 7026, 7031, 7032, 7034, 7040, 7045
ignore_older: 24h
tags: [windowsservice]
level: err, info, crit, warn
provider:
- Service Control Manager
processors:
- drop_event.when.or:
- regexp.winlog.event_data.param1: '^Programme d’installation pour les modules Windows.*'
- regexp.winlog.event_data.param1: '^Service de transfert intelligent en arrière-plan.*'
##### ******* Windows EventLog ******** #######
- name: System
event_id: 104
ignore_older: 24h
tags: [windowseventlog]
level: info
provider:
- Microsoft-Windows-Eventlog
- name: Security
event_id: 1100, 1104, 1105, 1108
ignore_older: 24h
tags: [windowseventlog]
processors:
- script:
lang: javascript
id: security
file: C:\\Program Files\\Graylog\\sidecar\\module\\security\\config\\winlogbeat-security.js
- name: Security
event_id: 1102
ignore_older: 24h
tags: [windowseventlog]
level: info
provider:
- Microsoft-Windows-Eventlog
processors:
- script:
lang: javascript
id: security
file: C:\\Program Files\\Graylog\\sidecar\\module\\security\\config\\winlogbeat-security.js
##### ******* Windows PowerShell ******** #######
- name: Windows PowerShell
event_id: 400, 403, 600, 800
ignore_older: 48h
tags: [powershell-legacy]
processors:
- script:
lang: javascript
id: powershell
file: C:\\Program Files\\Graylog\\sidecar\\module\\powershell\\config\\winlogbeat-powershell.js
- name: Microsoft-Windows-PowerShell/Operational
event_id: 4103, 4105, 4106
ignore_older: 48h
tags: [powershell]
processors:
- script:
lang: javascript
id: powershell
file: C:\\Program Files\\Graylog\\sidecar\\module\\powershell\\config\\winlogbeat-powershell.js
- drop_event.when.or:
- equals.winlog.event_id: 4104
- equals.winlog.event_id: 4100
- equals.winlog.event_id: 32784
##### ******* Windows Privilege ******** #######
- name: Security
event_id: 4673, 4674, 4985
ignore_older: 24h
tags: [windowsprivilege]
processors:
- script:
lang: javascript
id: security
file: C:\\Program Files\\Graylog\\sidecar\\module\\security\\config\\winlogbeat-security.js
##### ******* Windows Process ******** #######
- name: Security
event_id: 4688, 4689
ignore_older: 24h
tags: [windowsprocess]
processors:
- script:
lang: javascript
id: security
file: C:\\Program Files\\Graylog\\sidecar\\module\\security\\config\\winlogbeat-security.js
##### ******* Windows Task ******** #######
- name: Microsoft-Windows-TaskScheduler/Operational
event_id: 106, 129, 141, 142, 200, 201
ignore_older: 24h
tags: [windowstask]
provider:
- Microsoft-Windows-TaskScheduler
- name: Security
event_id: 4698-4702
ignore_older: 24h
tags: [windowstask]
processors:
- script:
lang: javascript
id: security
file: C:\\Program Files\\Graylog\\sidecar\\module\\security\\config\\winlogbeat-security.js
##### ******* DNS Client ******** #######
- name: Microsoft-Windows-DNS-Client/Operational
event_id: 3006, 3008, 3010, 3018
ignore_older: 24h
tags: [windowsdnsclient]
processors:
- drop_event.when:
or:
- equals.winlog.event_data.QueryOptions: '140737488355328'
- equals.winlog.event_data.QueryResults: ''
##### ******* Windows RDP ******** #######
- name: Microsoft-Windows-TerminalServices-RDPClient/Operational
ignore_older: 24h
tags: [windowsrdp]
level: crit, error, info, warn
- name: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
ignore_older: 24h
tags: [windowsrdp]
level: crit, error, info, warn
##### ******* Windows Share ******** #######
- name: Security
event_id: 5140, 5142, 5145, 5168
ignore_older: 24h
tags: [windowsshare]
processors:
- script:
lang: javascript
id: security
file: C:\\Program Files\\Graylog\\sidecar\\module\\security\\config\\winlogbeat-security.js
- name: Microsoft-Windows-SMBClient/Operational
event_id: 30622, 30624
ignore_older: 24h
tags: [windowsshare]
- name: Microsoft-Windows-SMBClient/Security
ignore_older: 24h
tags: [windowsshare]
- name: Microsoft-Windows-SMBServer/Security
ignore_older: 24h
tags: [windowsshare]
##### ******* Account Lockout & Auth ******** #######
- name: Security
event_id: 4624-4627, 4634, 4647, 4649, 4672, 4675, 4740, 4774-4779, 4800-4803, 4964, 5378
level: info
ignore_older: 24h
tags: [auth]
provider:
- Microsoft-Windows-Security-Auditing
processors:
- script:
lang: javascript
id: security
file: C:\\Program Files\\Graylog\\sidecar\\module\\security\\config\\winlogbeat-security.js
- drop_event.when:
or:
- equals.winlog.event_data.TargetUserSid: 'S-1-5-18'
- regexp.winlog.event_data.TargetUserName: '.*\\$'
##### ******* Windows Defender ******** #######
- name: Microsoft-Windows-Windows Defender/Operational
event_id: 1006-1009, 1116-1119
ignore_older: 24h
tags: [windowsdefender]
If you want to drop only event with multiple condition, all of them need to be true to drop, also you can’t use or if you only have one condition like below
Note: my example is for winlogbeat 7.X version.
With winlogbeat 8.X versions, if you call the same channel multiple time in the conf, you need to specify a different ID:
