Can someone help me with this rule to filter out computer logon and logoff
events? Since all computer accounts end with the $ I figured I could just
filter on that, for example
WinEvtLog Rule: 18149 (level 3) -> 'Windows User Logoff.' Src IP: (none)
User: W-ABC-3ND88P1$ WinEvtLog: Security: AUDIT_SUCCESS(4634)
Here is what I have but it is not working. I have tried several variations
of the regex but no luck with anything. Sure it is something simple but I
am just not hitting the right combination.
<rule id="102002" level="0">
<if_sid>18149</if_sid>
<regex>User: w+ \$</regex>
<description>Ignore machine logoff</description>
</rule>
Thanks for the help.
Karl
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon this information by persons or
entities other than the intended recipient is prohibited. If you received
this in error, please contact the sender and destroy any copies of this
document.
