Is it possible to apply a filter that will allow for a windows event (e.g. 4624) to be dropped if it contains a machine name (appended with $) but send all others?  The line that contains the payload is:

JCEF_srcUser:  xxxxx

xxxx would need to be a wildcard to be inclusive of all machine accounts. 

My reasoning is that for our environment we can't completely drop 4624 altogether but the inclusion of machine accounts creates the bulk of the events (over 90%) which is just noise for my puposes. 

Thanks in advance!

AskedMay 8, 2017 - 8:05pm

Answer (1)

Something like this should do what you need:

Exec if ($EventID == 4624) and ($SourceName == 'Microsoft-Windows-Security-Auditing') and ($AccountName =~ /\$$/) drop();