diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 439d1278732..62d2b9e11f1 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -118,6 +118,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 
 *Winlogbeat*
 
+- Add provider names to Security pipeline conditional check in routing pipeline. {issue}27288[27288] {pull}29781[29781]
 
 *Functionbeat*
 
diff --git a/x-pack/winlogbeat/module/routing/ingest/routing.yml b/x-pack/winlogbeat/module/routing/ingest/routing.yml
index 7566be69943..52f8825f1ef 100644
--- a/x-pack/winlogbeat/module/routing/ingest/routing.yml
+++ b/x-pack/winlogbeat/module/routing/ingest/routing.yml
@@ -3,7 +3,7 @@ description: Winlogbeat Routing Pipeline
 processors:
   - pipeline:
       name: '{< IngestPipeline "security" >}'
-      if: ctx?.winlog?.channel == 'Security'
+      if: ctx?.winlog?.channel == 'Security' && ['Microsoft-Windows-Eventlog', 'Microsoft-Windows-Security-Auditing'].contains(ctx?.winlog?.provider_name)
   - pipeline:
       name: '{< IngestPipeline "sysmon" >}'
       if: ctx?.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational'