I am searching for specific event (4624) and where targetusername doesn’t match computername.
The computer accounts in Windows is denoted by a $ at the end of the name.
So i used the regex provide in above thread. The regex ([\w-]+$) works when i test in online regexr.com
However, when i used in graylog search it failed.
My idea is to exclude all 4624 events where TargetUserName is a computer account.