[Winlogbeat] Implement exclusion range support for event_id

[andrewkroh]

Describe the enhancement:

Explore if it is possible to add support for an exclusion range in the event_id configuration option for Winlogbeat (e.g. event_id: -4700-4800).

Describe a specific use case for the enhancement or feature:

Sometimes you want to exclude a range of event IDs, but that is not supported.

Workarounds

The current workaround is complicated (this is with the Fleet custom windows event log integration where xml_query is not supported). Outside of Fleet I assume you can craft an xml_query to exclude ranges.

processors:
  # Convert winlog.event_id from string to a number and store it in _tmp.event_id.
  - convert:
      fields:
        - from: winlog.event_id
          to: _tmp.event_id
          type: long
  # Use the numeric _tmp.event_id to drop the event based on range conditions which
  # only work on numeric values.
  - drop_event:
      when:
        range:
            _tmp.event_id.gte: 4700
            _tmp.event_id.lt: 4800
  # Remove the temporary _tmp object.
  - drop_fields:
      ignore_missing: true
      fields:
        - _tmp

References

• beats/winlogbeat/sys/wineventlog/query.go

  Lines 44 to 46 in e7e6dac

  	incEventIDRegex = regexp.MustCompile(`^\d+$`)
  	incEventIDRangeRegex = regexp.MustCompile(`^(\d+)\s*-\s*(\d+)$`)
  	excEventIDRegex = regexp.MustCompile(`^-(\d+)$`)

[elasticmachine]

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)

[marc-gr]

Should we expose xml_query on the integration also?