Good morning,
I am trying to create a filter to avoid events where the user is 3 letters and 4 numbers (Not 0), f.e. FSA4568 and to avoid events at the time of entry to work for these users. I have created the filter for the user regex but I don't know how to integrate it with the time. The thing is that no events appear when the users have the structure of 3 letters plus four numbers and the time is between 7.30 and 9.30 a.m. How can I integrate it?
This is the search:
(index="anb_andorra" OR index="anb_luxembourg" OR index="anb_monaco" OR index="anb_espana") source="XmlWinEventLog:Security" ((EventCode IN (4771,4768) Error_Code=0x6) OR (EventCode=4625 Error_Code="0xc000006d")) user!="*$" src!="::ffff:*"
| regex user!="([A-Z]{3}[1-9]{4})"
| eval timestamp = _time*1000, name = signature
... View more