Okay,
I know this may sound a bit confusing. Here's the specifics of what I am attempting to do......
For the UserLogon Event; I want to see if the text contained in the DestinationAcoount Fieldis or is not contained within the EventInfo Field.
This is related to the Windows Security Event ID:4624. (UserLogon). For example, the DestinationAccount field would show the text "someuser", while the EventInfo field would show "Logon ""somedomain\someuser"".
Is it possible in a rule/filter syntax to see if "someuser" is contained within "somedomain\someuser"? I attempted to write a filter(unsuccessfully using the following syntax...
