[quote="ssi, post:1, topic:155734"]
is it possible to get winlogbeat to drop the event if event id 3 contains one of the ip adresses mentioned above?
[/quote]

It is possible. But in your original post you used CIDR ranges and Beats do not have support for matching CIDR ranges so you would have to use exact IP addresses or a regular expression.

So if the logic you want is drop_event when `(event_id == 3) AND (event_data.DestinationIp == "40.101.48.82" OR event_data.DestinationIp == "40.101.65.130")` then this should work:

```
processors:
- drop_event:
    when:
      and:
        - equals.event_id: 3
        - or:
            - equals.event_data.DestinationIp: '40.101.48.82'
            - equals.event_data.DestinationIp: '40.101.65.130'
```

Indentation is critical in YAML.

http://www.yamllint.com/ is your friend and can be used to check that your YAML is valid.

---