Dropping logon events for computer accounts not working

Hi,
I'm working at the moment correlating windows Logon and Special Logon events (4624 and 4672) .
I want to drop the events 4624 event when event_data.TargetUserName ends with $ because is a computer-related account joining the domain.
What I have done so far is not working and I'm still receiving those events.

  1. First I 've put the drop_event processor before the script processor, so the field I'm looking at is event_data.TargetUserName, not user.name
    Is this correct?

  2. I've tried with the regexp condition, and no luck

    - name: Security
      processors:
       - drop_event:
           when:
             and:
               - equals:
                   event.code: 4624
               - regexp:
                   event_data.TargetUserName: '.*\$'
    

also I've tried with an specific user, still no work (instead of the regexp line)

         - contains:
              event_data.TargetUserName: "DC_TEST2K12$"

What I'm doing wrong?
Thank you very much
Regards
Ana

Apparently is working now. I was using the wrong field name is winlog.event_data.TargetUserName instead of event_data.TargetUserName

image

Regards
Ana

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.