Share via

Regex no Custom View

Jessé da Costa Cabral Neto 1 Reputation point
2022-03-23T12:56:19.983+00:00

Olá, tenho o seguinte cenário.

Eu gostaria de identificar no filtro do customView do Windows se o campo ServiceName do XML foi preenchido.

Então, eu uso o "*$" como forma de filtro para que qualquer máquina/serviço seja apontado no campo ServiceName seja alarmado.

([EventData[Data[@DeezNutz ='ServiceName']= '$']])###

<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and (EventID=4769)]]
and
([EventData[Data[@DeezNutz ='ServiceName']= '*$']])
</Select>
</Query>
</QueryList>

Enfim o uso do regex não funciona aqui. Alguém teria alguma solução para isso?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,244 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,782 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 39,511 Reputation points
    2022-03-29T13:56:41.777+00:00

    Hi @Jessé da Costa Cabral Neto

    Here are a couple of links to potentially helpful articles regarding diagnosing this issue:

    https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/advanced-xml-filtering-in-the-windows-event-viewer/ba-p/399761

    https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.2

    I do hope this answers your question.

    Thanks.

    --
    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments