This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Is it possible in a rule/filter to create a correlation/condition in which the text of one event field is contained within anaothe field?

Okay,

     I know this may sound a bit confusing.  Here's the specifics of what I am attempting to do......

     For the UserLogon Event; I want to see if the text contained in the DestinationAcoount Field is or is not contained within the EventInfo Field.

     This is related to the Windows Security Event ID:4624. (UserLogon).  For example, the DestinationAccount field would show the text "someuser", while the EventInfo field would show "Logon ""somedomain\someuser"".

     Is it possible in a rule/filter syntax to see if "someuser" is contained within "somedomain\someuser"?  I attempted to write a filter(unsuccessfully using the following syntax...

pastedImage_14.png