Hi I was wondering if there was a way I could blacklist the following event based on the event code and the account name under the Subject field. So I want to blacklist events of code 4663 with a subject name of COMPUTER8-55$. What would the regex for that look like?
05/10/2024 01:05:35 PM
LogName=Sec
EventCode=4670
EventType=0
ComputerName=myComputer.net
SourceName=Microsoft Windows security auditing.
Type=Information
RecordNumber=10000000
Keywords=Audit Success
TaskCategory=Authorization Policy Change
OpCode=Info
Message=Permissions on an object were changed.
Subject:
Security ID: S-0-20-35
Account Name: COMPUTER8-55$
Account Domain: myDomain
Logon ID: 0x3E7
Object:
Object Server: Security
Object Type: Token
Object Name: -
Handle ID: 0x1718
Process:
Process ID: 0x35c
Process Name: C:\Windows\System32\svchost.exe
