Understanding "Exec" filtering syntax

View thread

JF_427179

I am trying to filter certain Windows Server events. I have the following code:

<Exec>
  if $EventID == '4737' AND $TargetSid == 'S-1-5-21-3629192509-3943823860-1568066966-20147' AND $SubjectUserSid == 'S-1-5-21-3629192509-3943823860-1568066966-20118'
	{
		drop();
	}
  if $SubjectUserName == 'NETVAULT$' AND $SubjectUserSid == 'S-1-5-20' AND ($ProcessName == 'C:\Program Files (x86)\Quest\NetVault Backup\pgsql\bin\postgres.exe' OR $NewProcessName == 'C:\Program Files (x86)\Quest\NetVault Backup\pgsql\bin\postgres.exe')
	{
		drop();
	}
  if $SubjectUserName == 'HVAC$' AND $SubjectUserSid == 'S-1-5-18' AND ($ProcessName == 'C:\Program Files (x86)\Delta Controls\enteliWEB\PostgreSQL\bin\postgres.exe' OR $NewProcessName == 'C:\Program Files (x86)\Delta Controls\enteliWEB\PostgreSQL\bin\postgres.exe')
	{
		drop();
	}
</Exec>

The first one says if the EventID, TargetSid, and SubjectUserSid are certain values, then drop the event.

The second says that if the SubjectUserName and SubjectUserSid are certain values and either the ProcessName or NewProcessName are a certain value, then drop the event.

The third basically is doing the same thing as the second one, except using different values.

Do I have the syntax correct for this?