I'm using a regular expression to locate a certain field in a particular event and then return results where the contents of that field are "like" a certain string. However, what I'm finding is that the "like" operator is matching based on case. Similarly, when I switch the query to match the string exactly (i.e., using "="), this too is case-sensitive. The example below returns the desired result. However, if I make the following change, no result is returned: where (like (Login_Security_ID,"%UserName%")) --to-- where (like (Login_Security_ID,"%username%")) Any idea on how I can make this case INsensitive? Thanks for the help. Search Being Run EventCode=4688 | rex "(?ms)Security ID:..(?<Login_Security_ID>[DOMAIN]+.\w+.\w+)" | rex "(?ms)New Process Name:..(?<New_Process_Name>.\S*)" | where New_Process_Name=":\Windows\System32\mmc.exe" | where (like (Login_Security_ID,"%UserName%")) | eval attemptoutcome = keywords Event Attempting to Return 08/10/2018 10:37:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=server.DOMAIN.com TaskCategory=Process Creation OpCode=Info RecordNumber=6646657 Keywords=Audit Success Message=A new process has been created. Subject: Security ID: DOMAIN\srvcUserName Account Name: srvcUserName Account Domain: DOMAIN Logon ID: 0xd3245f55 Process Information: New Process ID: 0x9b4 New Process Name: C:\Windows\System32\mmc.exe Token Elevation Type: TokenElevationTypeLimited (3) Creator Process ID: 0xf48 Process Command Line: ... View more

I am trying to create a search that returns only those events that have a specific username (or part of a username) in the Account Name field under Target Account. I have zero experience with regular expressions, but based on some other posts I was able to put together a regex that seems to locate the appropriate field (which I tested on regex101.com). However, I can't seem to get the search to work - I've tried three different variations, and all error out. One final note, I'm using "like" because in the final iteration of the search, I'll be looking for any username that contains a specific suffix, not just one specific account. Appreciate the help. WORKING REGEX (?ms)Target Account:.*Security ID:.*Account Name:\s+(?<Account_Name>[^ ]*) SAMPLE EVENT 6/25/2018 01:07:58 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4723 EventType=0 Type=Information ComputerName=SERVER.TRX.COM TaskCategory=User Account Management OpCode=Info RecordNumber=329720657 Keywords=Audit Success Message=An attempt was made to change an account's password. Subject: Security ID: TRX\jsmith Account Name: jsmith Account TRX: TRX Logon ID: 0x6368FECE Target Account: Security ID: TRX\jsmith Account Name: jsmith Account TRX: TRX Additional Information: Privileges SEARCH THAT WORKS (But does not use the regular expression) EventCode=4723 OR EventCode=4724 | where like (Account_Name,"jsmith") REGEX SEARCHES TRIED EventCode=4723 OR EventCode=4724 | where like ((regex "(?ms)Target Account:.*Security ID:.*Account Name:\s+(?<Account_Name>[^ ]*)"),"jsmith") EventCode=4723 OR EventCode=4724 | where like ((regex = "(?ms)Target Account:.*Security ID:.*Account Name:\s+(?<Account_Name>[^ ]*)"),"jsmith") EventCode=4723 OR EventCode=4724 | where like ((regex = (?ms)Target Account:.*Security ID:.*Account Name:\s+(?<Account_Name>[^ ]*)),"jsmith") ... View more

I have an email alert that I've configured that I would like to include two tokens without a space in the body of the email. The two fields are: &nbsp - member_nt_domain = URT\ &nbsp - member = jsmith So, I would like the output in the email formatted like this: URT\jsmith. The reason that I can't have the space is that the domain token includes the backslash - otherwise adding "\" in between the two tokens would produce the desired result. I have tried the following, but none seem to work. (I've included the result that each produces in the section after the -->) $result.member_nt_domain result.member$ --> *blank* $result.member_nt_domain$ $result.member$ --> URT\ jsmith $result.member_nt_domain$$result.member$ --> $result.member_nt_domain$result.member$ $result.member_nt_domain$result.member$ --> URT\result.member$ Thanks for the help. ... View more