I have created a pipe line rule
rule "Drop4624MachineAccounts" when ((to_string($message.EventID) == "4624")) AND (contains(to_string($message.TargetUserName),to_string("$"),true)) then drop_message(); end
I am using gelf to ingest windows security log.
I would like to drop specific events, in this case event 4624 whenever TargetUserName field contains a compyter account, A computer account has $ symbol at the end like
I have tried using the contain function but it’s not working.
appreciate your assistance in making this work.