I'm working at the moment correlating windows Logon and Special Logon events (4624 and 4672) .
I want to drop the events 4624 event when
event_data.TargetUserName ends with $ because is a computer-related account joining the domain.
What I have done so far is not working and I'm still receiving those events.
First I 've put the drop_event processor before the script processor, so the field I'm looking at is event_data.TargetUserName, not user.name
Is this correct?
I've tried with the regexp condition, and no luck
- name: Security processors: - drop_event: when: and: - equals: event.code: 4624 - regexp: event_data.TargetUserName: '.*\$'
also I've tried with an specific user, still no work (instead of the regexp line)
- contains: event_data.TargetUserName: "DC_TEST2K12$"
What I'm doing wrong?
Thank you very much