0 Replies Latest reply on Feb 11, 2015 2:14 PM by tcrutchley

    Is it possible in a rule/filter to create a correlation/condition in which the text of one event field is contained within anaothe field?



           I know this may sound a bit confusing.  Here's the specifics of what I am attempting to do......


           For the UserLogon Event; I want to see if the text contained in the DestinationAcoount Field is or is not contained within the EventInfo Field.


           This is related to the Windows Security Event ID:4624. (UserLogon).  For example, the DestinationAccount field would show the text "someuser", while the EventInfo field would show "Logon ""somedomain\someuser"".


           Is it possible in a rule/filter syntax to see if "someuser" is contained within "somedomain\someuser"?  I attempted to write a filter(unsuccessfully using the following syntax...