hi i believe this is close to what im seeing, at least im trying the same thing and not getting any success.
https://discuss.elastic.co/t/dropping-events-using-winlogbeat-processors/150781

the sysmon is being send from a windows event collector with a winlogbeat agent on to logstash

here is the winlogbeat conf.

###################### Winlogbeat Configuration Example ##########################

# This file is an example configuration file highlighting only the most common
# options. The winlogbeat.reference.yml file from the same directory contains all the
# supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/winlogbeat/index.html

#======================= Winlogbeat specific options ==========================

# event_logs specifies a list of event logs to monitor as well as any
# accompanying options. The YAML data type of event_logs is a list of
# dictionaries.
#
# The supported keys are name (required), tags, fields, fields_under_root,
# forwarded, ignore_older, level, event_id, provider, and include_xml. Please
# visit the documentation for the complete details of each option.
# https://go.es.io/WinlogbeatConfig

winlogbeat.event_logs:
- name: ForwardedEvents
ignore_older: 12h
event_logs.forwarded: false
#--------processors-------------
processors:

the bullets are actualley a "-"

- drop_event.when.or:
   - equals.event_data.DestinationIp: [ "40.101.51.226", "40.101.51.130","52.114.32.7","13.107.2.0/22", "20.36.64.0/19", "204.79.197.213", "20.36.112.0/21", "40.82.12.0/22", "40.82.244.0/22", "40.90.130.32/28", "40.90.142.64/27", "40.90.149.32/27", "40.126.128.0/18", "52.143.218.0/24", "52.239.218.0/23", "20.36.32.0/19", "20.36.104.0/21", "20.37.0.0/18", "40.82.8.0/22", "40.82.240.0/22", "40.90.130.48/28", "40.90.142.96/27", "40.90.149.64/27", "52.143.219.0/24", "52.239.216.0/23", "13.70.64.0/18", "13.72.224.0/19", "13.73.192.0/20", "13.75.128.0/17", "20.37.192.0/19", "20.188.128.0/17", "20.190.142.0/25", "20.191.192.0/18", "23.101.208.0/20", "40.79.160.0/20", "40.79.211.0/24", "40.82.32.0/22", "40.82.192.0/19", "40.87.208.0/22", "40.90.130.80/28", "40.90.130.208/28", "40.90.140.32/27", "40.90.142.160/27", "40.90.147.64/27", "40.90.150.0/27", "40.112.37.128/26", "40.126.14.0/25", "40.126.224.0/19", "52.108.40.0/23", "52.109.112.0/22", "52.114.16.0/22", "52.147.0.0/19", "52.156.160.0/19", "52.187.192.0/18", "52.232.136.0/21", "52.232.154.0/24", "52.237.192.0/18", "52.239.130.0/23", "52.239.226.0/24", "52.245.16.0/22", "104.44.90.64/26", "104.44.93.96/27", "104.44.95.48/28", "104.46.29.0/24", "104.46.30.0/23", "104.46.240.0/20", "104.209.80.0/20", "104.210.64.0/18", "191.238.66.0/23", "191.239.64.0/19", "13.70.128.0/18", "13.73.96.0/19", "13.77.0.0/18", "20.190.96.0/19", "20.190.142.128/25", "23.101.224.0/19", "40.79.212.0/24", "40.81.48.0/20", "40.87.212.0/22", "40.90.138.128/27", "40.112.37.192/26", "40.115.64.0/19", "40.117.0.0/19", "40.126.14.128/25", "40.127.64.0/19", "52.108.234.0/23", "52.109.116.0/22", "52.114.20.0/22", "52.136.25.0/24", "52.147.32.0/19", "52.158.128.0/19", "52.189.192.0/18", "52.239.132.0/23", "52.239.225.0/24", "52.243.64.0/18", "52.245.20.0/22", "52.255.32.0/19", "104.44.90.32/27", "104.44.93.128/27", "104.44.95.64/28", "104.46.28.0/24", "104.209.64.0/20", "191.239.160.0/19", "191.239.192.0/22", "20.190.145.0/25", "23.97.96.0/19", "40.90.133.32/27", "40.90.141.64/27", "40.90.144.224/27", "40.126.17.0/25", "52.108.36.0/22", "52.109.108.0/22", "104.41.0.0/18", "191.232.32.0/19", "191.232.160.0/19", "191.232.192.0/18", "191.233.0.0/21", "191.233.24.0/21", "191.233.128.0/24", "191.233.130.0/23", "191.233.132.0/22", "191.233.136.0/21", "191.233.192.0/18", "191.234.160.0/19", "191.235.32.0/19", "191.235.64.0/18", "191.235.196.0/22", "191.235.200.0/21", "191.235.224.0/20", "191.235.240.0/21", "191.237.195.0/24", "191.237.200.0/21", "191.237.248.0/21", "191.238.128.0/21", "191.238.192.0/19", "191.239.112.0/20", "191.239.204.0/22", "191.239.240.0/20", "13.71.160.0/19", "13.88.224.0/19" ]

based on what i can see in the initial mentioned topic i can get winlogbeat to drop a given event id here this would be event id 3.

is it possible to get winlogbeat to drop the event if event id 3 contains one of the ip adresses mentioned above?

an alternative i guess would be to do this in logstash, but if i can get the noise filtered out before i hit logstash i would prefer this.