Hi All,

i'm testing the possibility of forwarding windows security logs to SIEM. Seems all ok, but i'm not able to drop messages with some values.

For example we have some event with

$TargetUsername = DWM-"1to11" (example : DWM-1) $TargetUsername = UMFD-"1to11" (example : UMFD-4) $TargetUsername = pcname$ (example : HOSTNAME$) $TargetUsername = Anonymous Access

I'm able to drop "Anonymous Access" with this command :

Exec if $TargetUserName == "Anonymous Access" drop();

but with the other events, i can't use

Exec if $TargetUserName == "UMFD" drop();

because the events are multiple like UMFD-1 UMFD-2 UMFD-3, or username with "$" at the end of the $TargetUserName Value

i have tried with this configuration but seems doesn't work

Exec if $TargetUserName =~ /UMFD/ drop(); Exec if $TargetUserName =~ /DWM/ drop(); Exec if $TargetUserName =~ /$/ drop();

Can you help me?

Thanks you