To be honest I'm not a big fan of monitoring Windows event logs with zabbix agent. Ofc it might not be what you are looking for ...and might be overkill. (but this is how I'm getting things from event log instead built-in in agent)

I'm using Windows Scheduler with custom XML filtering (changing firewall) and then run zabbix_sender to send data to zabbix (to zabbix trapper item). This way I have more control over the values i need to send back.

You can modify it to filter it "if security ID is null" - check XML data under :
<Data Name="SubjectUserSid">S-1-0-0</Data>
which indicates
Subject:
Security ID: NULL SID

in your case additional filter could look like this (in <Subscription>) :
and *[EventData[Data[@Name='SubjectUserSid​']!='S-1-0-0']]





example for my firewall XML filter (just part of it)
<Triggers>
<EventTrigger>
<Enabled>true</Enabled>
<Subscription>&lt;QueryList&gt;&lt;Query Id="0" Path="Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"&gt;&lt;Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"&gt;*[System[(EventID=2005)]] and *[EventData[Data[@Name='ModifyingApplication']!='<----removed---->']]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription>
<ValueQueries>
<Value name="RuleName">Event/EventData/Data[@Name="RuleName"]</Value>
<Value name="RemoteAddresses">Event/EventData/Data[@Name="RemoteAddresses"]</Value>
<Value name="Direction">Event/EventData/Data[@Name="Direction"]</Value>
<Value name="ModifyingApplication">Event/EventData/Data[@Name="ModifyingApplication"]</Value>
<Value name="LocalAddresses">Event/EventData/Data[@Name="LocalAddresses"]</Value>
<Value name="Protocol">Event/EventData/Data[@Name="Protocol"]</Value>
<Value name="LocalPorts">Event/EventData/Data[@Name="LocalPorts"]</Value>
<Value name="RemotePorts">Event/EventData/Data[@Name="RemotePorts"]</Value>
<Value name="Active">Event/EventData/Data[@Name="Active"]</Value>
</ValueQueries>
</EventTrigger>
</Triggers>

pulls those selected details if eventID=2005 and not (using "!" as not") "ModifyingApplication" = <---removed--> path to our FW automation application
example of security XML event
​

I can then use Value name in zabbix sender to send it back (as action) like this:
/E:ON /C "cd /d "C:\Program Files\Zabbix Agent 2" && zabbix_sender --config "zabbix_agent2.conf" -k Firewall.Added -o "Firewall rule on %COMPUTERNAME% has been added, Rule name: $(RuleName), Remote Addresses: $(RemoteAddresses), Local Addresses: $(LocalAddresses), Local Ports: $(LocalPorts), Remote Ports: $(RemotePorts), Protocol: $(Protocol), Status: $(Active), Direction: $(Direction), Modifying Application: $(ModifyingApplication)""

for custom XML filtering check google:

google


​then use this to send it to zbx via trapper using multiple values from event logs with $(ValueNames) for each ValueName from XML filter (between <ValueQueries> </ValueQueries>)