-
6 years, 8 months ago
ddanielnp wrote a new post
sourcetype=WinEventLog:Security src_nt_domain!=”NT AUTHORITY” EventCode=4720 OR EventCode=4726 OR EventCode=4738 OR EventCode=4767 OR EventCode=4781 OR EventCode=4727 OR EventCode=4730 OR EventCode=4731 OR […]
-
6 years, 9 months ago
ddanielnp became a registered member
-
6 years, 9 months ago
ddanielnp became a registered member
Where does the “ITS_Admin” come from? lookup field?
John,
“ITS_Admin” is a value pulled via regex from the line:
| rex field=member_id “^w+W(?w*sw*sw*|w+_w+|w*sw*|w*)(sw+W|s)(?.*S)”
To test what the regex is pulling from your Windows events go to https://regex101.com/ and post the regex (minus the quotes) “^w+W(?w*sw*sw*|w+_w+|w*sw*|w*)(sw+W|s)(?.*S)” into the REGULAR EXPRESSION field and post your event into the TEST STRING field. On the right hand side in MATCH INFORMATION will be the values from the regex