I don't really understand. Can you show me a example please? ... View more

maybe you want to try this - | rex "Message="+(?<Info>.*) Hope it works ... View more

Maybe you want to use this - | regex Account_Name!="\$$" I am using this in my search string and it drop all the hostname$  ... View more

09/19/2021 03:55:51 PM LogName=Security EventCode=4624 EventType=0 ComputerName=AD-Server.testlab.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=27458 Keywords=Audit Success TaskCategory=Logon OpCode=Info Message=An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - This is what I am trying to capture. Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: AD-SERVER$ Account Domain: TESTLAB.LOCAL Logon ID: 0x4DCB94 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {416FA300-18E5-910D-E3C0-C4227DAEDEA2} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: fe80::eda5:784c:f765:5574 Source Port: 61946 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requeste ... View more

@ITWhisperer, Thanks for sharing. I made some changes and now this is how it turns out. For the time range, this is my command - [earliest=-7d@d-5h latest=@d+7h] As I am running this every Monday, I guess I should the search string should search for all the data 7 days back starting 1900 hours to following day 7am. Not sure if anyone can assist but I manage to extract out the account name with the following command - | rex "(?ms)Account Name:.*?Account Name:\s+(?<Account_Name>\S+)" but it's extracting out all the (hostname$) and SYSTEM. Is there anyway to drop all the hostname$ and SYSTEM and only show the rest? Thank You regards, Alex ... View more

Sorry to hijack this thread.  Can someone please explain to me this string?   (EventCode>="630" AND EventCode<="640") OR EventCode="641" OR (EventCode>="647" AND EventCode<="668") OR (EventCode>="4726" AND EventCode<="4736") OR EventCode="4737" OR (EventCode>="4743" AND EventCode<="4763") OR EventCode="4764" OR (EventCode>="4782" AND EventCode<="4793") I don't quite understand the logic behind the search string. ... View more

@ITWhisperer, Yes, the timings are not correct but I was just testing to see if it work. Is it necessary to include @d? What is the purpose of bin span=1h _time? If I run the search string every Monday against 1 week of data, I should be able to get all the information for that 1 week from 10pm to 10am. Please correct me if I am wrong. Thank You ... View more

@ITWhisperer, I found this online and it work earliest= "-1d@d+19h@h" latest="@d+7h@h" Can you please explain in more detail on your search string? ... View more

I got a earlier log that grabs all the necessary info into the following tables - username , defaultmsg , date , time. ============= Aug 25 17:41:05 IP_ADDR consolidated_audit: {"affectedEntityList":[{"entityType":"vm","name":"HOSTNAME01 | PROGRAMNAME","uuid":"11aef477-6f03-4a22-baa7-23736c8e741c"}],"alertUid":"VmUpdateAudit","classificationList":["UserAction"],"creationTimestampUsecs":"1629874233889978","defaultMsg":"Updated VM HOSTNAME01 | Tenable","opEndTimestampUsecs":"1629874233884373","opStartTimestampU============== secs":"1629874233779524","operationType":"Update","originatingClusterUuid":"0005ad50-f430-a46c-001e-e4434bb76b0e","params":{"is_secure_boot":"false","is_uefi_boot":"true","vm_name":"HOSTNAME01 | PROGRAMNAME"},"recordType":"Audit","severity":"Audit","userName":"ABC@ABC.COM","userUuid":"3f73d040-7516-5caa-a956-91179b2cb1f5","uuid":"254f3952-bf9b-4205-8a14-ad2074ed70ab"}   But the issue now is that in the earlier msg, there is no defaultmsg field in the earlier event and it under table (defualtmsg) , it's empty ... View more

Hi @PickleRick,   You're right. I was intending to drop the above log from showing up in the search using some of the data from the above mentioned text. Text to be used > |httpMethod=POST| | restEndPoint=/v1/insights_transport/transfer_data_to_multicluster|  ... View more

May I check if I can use eval command to actually filter to stop the data from showing up?   If yes, would anyone please show me how to use eval command? ... View more

Hi @gcusello , Please find pdf of the text   ... View more

Hi @PickleRick ,   Would you mind to show me a example if you don't mind? Thank You Regards, Alex ... View more