I am trying to create a search that returns only those events that have a specific username (or part of a username) in the Account Name field under Target Account. I have zero experience with regular expressions, but based on some other posts I was able to put together a regex that seems to locate the appropriate field (which I tested on regex101.com). However, I can't seem to get the search to work - I've tried three different variations, and all error out. One final note, I'm using "like" because in the final iteration of the search, I'll be looking for any username that contains a specific suffix, not just one specific account. Appreciate the help.
WORKING REGEX
(?ms)Target Account:.*Security ID:.*Account Name:\s+(?<Account_Name>[^ ]*)
SAMPLE EVENT
6/25/2018 01:07:58 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4723
EventType=0
Type=Information
ComputerName=SERVER.TRX.COM
TaskCategory=User Account Management
OpCode=Info
RecordNumber=329720657
Keywords=Audit Success
Message=An attempt was made to change an account's password.
Subject:
Security ID: TRX\jsmith
Account Name: jsmith
Account TRX: TRX
Logon ID: 0x6368FECE
Target Account:
Security ID: TRX\jsmith
Account Name: jsmith
Account TRX: TRX
Additional Information:
Privileges
SEARCH THAT WORKS (But does not use the regular expression)
EventCode=4723 OR EventCode=4724 | where like (Account_Name,"jsmith")
REGEX SEARCHES TRIED
EventCode=4723 OR EventCode=4724 | where like ((regex "(?ms)Target Account:.*Security ID:.*Account Name:\s+(?<Account_Name>[^ ]*)"),"jsmith")
EventCode=4723 OR EventCode=4724 | where like ((regex = "(?ms)Target Account:.*Security ID:.*Account Name:\s+(?<Account_Name>[^ ]*)"),"jsmith")
EventCode=4723 OR EventCode=4724 | where like ((regex = (?ms)Target Account:.*Security ID:.*Account Name:\s+(?<Account_Name>[^ ]*)),"jsmith")
... View more