Filter out specific events based on payload???
Tags:
#1
CosmicSlopp
Is it possible to apply a filter that will allow for a windows event (e.g. 4624) to be dropped if it contains a machine name (appended with $) but send all others? The line that contains the payload is:
JCEF_srcUser: xxxxx$
xxxx would need to be a wildcard to be inclusive of all machine accounts.
My reasoning is that for our environment we can't completely drop 4624 altogether but the inclusion of machine accounts creates the bulk of the events (over 90%) which is just noise for my puposes.
Thanks in advance!
#1
CosmicSlopp
Is it possible to apply a filter that will allow for a windows event (e.g. 4624) to be dropped if it contains a machine name (appended with $) but send all others? The line that contains the payload is:
JCEF_srcUser: xxxxx$
xxxx would need to be a wildcard to be inclusive of all machine accounts.
My reasoning is that for our environment we can't completely drop 4624 altogether but the inclusion of machine accounts creates the bulk of the events (over 90%) which is just noise for my puposes.
Thanks in advance!
Something like this should do what you need:
Exec if ($EventID == 4624) and ($SourceName == 'Microsoft-Windows-Security-Auditing') and ($AccountName =~ /\$$/) drop();
