i'm testing the possibility of forwarding windows security logs to SIEM. Seems all ok, but i'm not able to drop messages with some values.
For example we have some event with
$TargetUsername = DWM-"1to11" (example : DWM-1)
$TargetUsername = UMFD-"1to11" (example : UMFD-4)
$TargetUsername = pcname$ (example : HOSTNAME$)
$TargetUsername = Anonymous Access
I'm able to drop "Anonymous Access" with this command :
Exec if $TargetUserName == "Anonymous Access" drop();
but with the other events, i can't use
Exec if $TargetUserName == "UMFD" drop();
because the events are multiple like UMFD-1 UMFD-2 UMFD-3, or username with "$" at the end of the $TargetUserName Value
i have tried with this configuration but seems doesn't work
Exec if $TargetUserName =~ /UMFD/ drop();
Exec if $TargetUserName =~ /DWM/ drop();
Exec if $TargetUserName =~ /$/ drop();
Can you help me?