From 1aaaf7cc576e6f788146d05a5baf2e366dd5abde Mon Sep 17 00:00:00 2001 From: Pierre Penhouet Date: Tue, 18 Feb 2025 09:06:56 +0100 Subject: [PATCH] Remove DNS events and priv/priv connections --- .../categories/endpoint/auditbeat_linux.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/docs/integration/categories/endpoint/auditbeat_linux.md b/docs/integration/categories/endpoint/auditbeat_linux.md index 6553d6c75c..10115bf365 100644 --- a/docs/integration/categories/endpoint/auditbeat_linux.md +++ b/docs/integration/categories/endpoint/auditbeat_linux.md @@ -141,6 +141,22 @@ auditbeat.modules: - user # User information user.detect_password_changes: true + processors: + - drop_event: + when: + or: + - and: + - equals: + destination.port: 53 + - equals: + event.action: network_flow + - and: + - equals: + event.action: network_flow + - network: + source.ip: private + - network: + destination.ip: private # ================================== Outputs =================================== output.elasticsearch: