I'm trying to create a blacklist for several Event IDs to exclude any events with multiple user accounts. For example, I'd like to filter EventID 4688 for any logs where the Account Name is Blank, any service account that begins with svc, any computer account that ends with $, etc.
I've tried the following, but I don't think either syntax is correct and i'm not sure how to include wildcards.
blacklist1=EventCode="4624,4625,4688" Message="Account Name:\s+$s+"
blacklist2=EventCode=%^(4624|4625|4688)$% User=%svc% %$% % %
NOTE: The 2 blacklist lines are the formats I've tried. I did not have both lines running at the same time.
What i'm looking for is essentially something like this:
Blacklist = EventID1, 2, 3 Account=*$, svc*, *(blank)*
I've tried using regex101 and regexer, but I feel i'm just not grasping the syntax of RegEx in general. Any help would be appreciated!
... View more