filter {
  if "winlogbeat" in [tags] and [log_name] == "Microsoft-Windows-Sysmon/Operational" and [task] == "Network connection detected (rule: NetworkConnect)" {
cidr {
    add_field => { "IPDestination" => "Microsoft" }
    address => [ "%{[event_data][DestinationIp]}" ]
    network => [ "13.104.0.0/14",
"13.64.0.0/11",
"13.96.0.0/13",
"20.160.0.0/12",
"20.180.0.0/14",
"20.184.0.0/13",
"23.96.0.0/13",
"40.64.0.0/10",
"42.159.0.0/16",
"51.140.0.0/14",
"51.4.0.0/15",
"51.51.0.0/16",
"51.8.0.0/16",
"52.112.0.0/14",
"52.120.0.0/14",
"52.125.0.0/16",
"52.126.0.0/15",
"52.130.0.0/15",
"52.136.0.0/13",
"52.145.0.0/16",
"52.146.0.0/15",
"52.148.0.0/14",
"52.152.0.0/13",
"52.160.0.0/11",
"52.224.0.0/11",
"52.96.0.0/12",
"64.4.0.0/18",
"65.52.0.0/14",
"66.119.144.0/20",
"70.37.0.0/17",
"70.37.128.0/18",
"91.190.216.0/21",
"94.245.64.0/18",
"103.25.156.0/24",
"103.25.157.0/24",
"103.25.158.0/23",
"103.255.140.0/22",
"103.36.96.0/22",
"103.9.8.0/22",
"104.146.0.0/15",
"104.208.0.0/13",
"104.40.0.0/13",
"111.221.16.0/20",
"111.221.64.0/18",
"129.75.0.0/16",
"131.253.1.0/24",
"131.253.12.0/22",
"131.253.128.0/17",
"131.253.16.0/23",
"131.253.18.0/24",
"131.253.21.0/24",
"131.253.22.0/23",
"131.253.24.0/21",
"131.253.3.0/24",
"131.253.32.0/20",
"131.253.5.0/24",
"131.253.6.0/24",
"131.253.61.0/24",
"131.253.62.0/23",
"131.253.64.0/18",
"131.253.8.0/24",
"132.245.0.0/16",
"134.170.0.0/16",
"134.177.0.0/16",
"137.116.0.0/15",
"137.135.0.0/16",
"138.196.0.0/16",
"138.91.0.0/16",
"139.217.0.0/16",
"139.219.0.0/16",
"141.251.0.0/16",
"146.147.0.0/16",
"150.171.0.0/16",
"150.242.48.0/22",
"157.54.0.0/15",
"157.56.0.0/14",
"157.60.0.0/16",
"167.220.0.0/16",
"168.61.0.0/16",
"168.62.0.0/15",
"191.232.0.0/13",
"192.197.157.0/24",
"192.32.0.0/16",
"192.48.225.0/24",
"192.84.159.0/24",
"192.84.160.0/23",
"193.149.64.0/19",
"193.221.113.0/24",
"194.110.197.0/24",
"198.105.232.0/22",
"198.200.130.0/24",
"198.206.164.0/24",
"198.49.8.0/24",
"199.103.122.0/24",
"199.103.90.0/23",
"199.242.32.0/20",
"199.242.48.0/21",
"199.60.28.0/24",
"199.74.210.0/24",
"2001:4898::/32",
"2001:489a:2000::/35",
"2001:67c:1020::/48",
"2001:df0:7::/48",
"2001:df0:d7::/48",
"2001:df0:d8::/48",
"2001:df0:d9::/48",
"202.89.224.0/20",
"204.13.120.0/21",
"204.14.180.0/22",
"204.152.140.0/23",
"204.152.18.0/23",
"204.231.192.0/24",
"204.231.194.0/23",
"204.231.197.0/24",
"204.231.198.0/23",
"204.231.200.0/21",
"204.231.208.0/20",
"204.231.236.0/24",
"204.79.135.0/24",
"204.79.179.0/24",
"204.79.181.0/24",
"204.79.188.0/24",
"204.79.195.0/24",
"204.79.196.0/23",
"204.79.252.0/24",
"205.174.224.0/20",
"206.138.168.0/21",
"206.191.224.0/19",
"207.46.0.0/16",
"207.68.128.0/18",
"208.68.136.0/21",
"208.76.44.0/22",
"208.84.0.0/21",
"209.240.192.0/19",
"213.199.128.0/18",
"216.220.208.0/20",
"216.32.180.0/22",
"2404:f801::/32",
"2603:1000::/24",
"2620:0:30::/45",
"2620:10c:5000::/44",
"2620:1ec::/36",
"2801:80:1d0::/48",
"2a01:110::/32",
"2a01:111::/32",
"2a01:4180::/32" ]
  }
}
}