From 1aaaf7cc576e6f788146d05a5baf2e366dd5abde Mon Sep 17 00:00:00 2001
From: Pierre Penhouet <pierre.penhouet@sekoia.io>
Date: Tue, 18 Feb 2025 09:06:56 +0100
Subject: [PATCH] Remove DNS events and priv/priv connections

---
 .../categories/endpoint/auditbeat_linux.md       | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/docs/integration/categories/endpoint/auditbeat_linux.md b/docs/integration/categories/endpoint/auditbeat_linux.md
index 6553d6c75c..10115bf365 100644
--- a/docs/integration/categories/endpoint/auditbeat_linux.md
+++ b/docs/integration/categories/endpoint/auditbeat_linux.md
@@ -141,6 +141,22 @@ auditbeat.modules:
     - user      # User information
 
   user.detect_password_changes: true
+  processors:
+    - drop_event:
+        when:
+          or:
+            - and:
+              - equals:
+                  destination.port: 53
+              - equals:
+                  event.action: network_flow
+            - and:
+              - equals:
+                  event.action: network_flow
+              - network:
+                  source.ip: private
+              - network:
+                  destination.ip: private
 
 # ================================== Outputs ===================================
 output.elasticsearch: