Windows security daily domain activities

Share This:

Comments

  1. Jeff

    John,

    “ITS_Admin” is a value pulled via regex from the line:

    | rex field=member_id “^\w+\W(?\w*\s\w*\s\w*|\w+_\w+|\w*\s\w*|\w*)(\s\w+\W|\s)(?.*\S)”

    To test what the regex is pulling from your Windows events go to https://regex101.com/ and post the regex (minus the quotes) “^\w+\W(?\w*\s\w*\s\w*|\w+_\w+|\w*\s\w*|\w*)(\s\w+\W|\s)(?.*\S)” into the REGULAR EXPRESSION field and post your event into the TEST STRING field. On the right hand side in MATCH INFORMATION will be the values from the regex

Leave A Comment?