Hello everyone

I have the following EXEC IF statement in my configuration file to drop events if username fields are equal to the computer account name. As you know Windows computer account names always end in $.

if $EventID == 4624 AND ($TargetUserName == 'DESKTOP-XY43$' OR $SubjectUserName == 'DESKTOP-XY43$') drop();

Above IF statement works perfectly, however, I have several other IF statements for various event ID's AND several hundred Windows hosts. You can imagine the time and effort required to customize several hundred .conf files for each Windows desktop.

Does anyone know if I could use REGEX or some other technique like wildcard to simply say if TargetUserName or SubjectUserName string ends in $, then drop the event.

IF $EventID == 4624 AND ($TargetUserName == *$ OR $SubjectUserName == *$) drop();

Thank you

AskedJune 13, 2021 - 5:00am

Answer (1)