Can anyone advise where im going wrong with my query ?
I am trying to achieve the following:
Generate an Alert whenever event.code 4648 is seen - with the only exception being to not alert if the winlog.event_data.SubjectUserName matches the winlog.event_data.TargetUsername field.
I have tried several variations of the following query, but i am still getting alerts whereby the Subject and Target user match for that windows event:
event.code:"4648" and (not winlog.event_data.SubjectUserName:* or not winlog.event_data.TargetUserName:* or not winlog.event_data.SubjectUserName == winlog.event_data.TargetUserName)
The not operator is negating the entire condition, which is not what you want.
Try this:
event.code:"4648" AND NOT (winlog.event_data.SubjectUserName: * AND winlog.event_data.TargetUserName: * AND winlog.event_data.SubjectUserName == winlog.event_data.TargetUserName)
Hi yago82, thanks for your suggestion; i see what you mean.
Unfortunately im still having no luck with your suggested query
I have double and triple checked that ive got your query right, and also that the field values are the same in the activity that i want to exclude (subject and target user).
I may hav to explore other avenues of filtering this activity, annoyingly.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
