Detect failed Windows updates with Graylog

This alert is even simpler than the bruteforce check.
Microsoft stores successful Windows updates with the event ID 43, 44 or 19. All we need to do is create a filter for all other IDs.

Updates are stored in Winlogbeat in the winlogbeat_winlog_event_data_updateTitle field.

The search input is done on the Winlogbeat input as source:

_exists_:winlogbeat_winlog_event_data_updateTitle AND NOT (winlogbeat_event_code:43 OR winlogbeat_event_code:44 OR  winlogbeat_event_code:19)

Go to alerts and create a new event.

Graylog Event "Failed Windows Updates detected"

Create a filter using the input from above:

Graylog Failed Windows Updates Filter

Add fields for alert output:

Graylog Failed Windows Updates Fields

Edit the notification channels as desired (you are free to choose whether you want to be alerted by email or otherwise). Your summary should look like this:

Graylog Failed Windows Updates Summary