Firsts of event 538 in the Security event log

(imported topic written by ajdyer200091)

Hi,

I got this relevence from another post but it closely does what I’m tryng to acomplish.

What I would like is to

1: return only user ID’s (The one below returns computers also)

2: return user ids that BEGIN with “u1” or “u2” (all user ids start with u1yyy or u2yyy where yyy = 3 initials)

3: return ONLY THE FIRST time any user logged in to the domain with date and time in the format below.

I really appreciate everyones help. This is a great forum.

(time generated of it, ((item 1 of it & “” & item 0 of it) of (parenthesized parts of (first matches (regex “User Name:\s(\w+)”) of description of it), parenthesized parts of (matches (regex "Domain:\s+(

A-Za-z0-9-

+)") of description of it)))) of records whose (event id of it = 538 AND time generated of it >(now-2*day)) of security event log

A: ( Mon, 09 Aug 2010 09:08:46 -0400 ), Domain\U1JKE

A: ( Mon, 09 Aug 2010 10:04:04 -0400 ), Domain\COMPUTER1

A: ( Mon, 09 Aug 2010 10:04:04 -0400 ), Domain\COMPUTER1

A: ( Mon, 09 Aug 2010 10:04:04 -0400 ), Domain\COMPUTER1

A: ( Mon, 09 Aug 2010 11:09:38 -0400 ), Domain\U1JKE

A: ( Mon, 09 Aug 2010 11:18:17 -0400 ), NT\ANONYMOUS

A: ( Mon, 09 Aug 2010 11:58:50 -0400 ), Domain\U1JKE

A: ( Mon, 09 Aug 2010 12:58:47 -0400 ), Domain\COMPUTER1

A: ( Mon, 09 Aug 2010 14:04:32 -0400 ), Domain\U1JKE

A: ( Mon, 09 Aug 2010 14:08:41 -0400 ), Domain\U1JKE

A: ( Mon, 09 Aug 2010 14:37:29 -0400 ), Domain\U1JKE

A: ( Mon, 09 Aug 2010 17:02:37 -0400 ), Domain\U1JKE

(imported comment written by BenKus)

For 1/2, you can try:

it whose (item 1 of it as lowercase starts with “u1” OR item 1 of it as lowercase starts with “u2”) of (time generated of it, ((item 1 of it & “” & item 0 of it) of (parenthesized parts of (first matches (regex “User Name:\s(\w+)”) of description of it), parenthesized parts of (matches (regex “Domain:\s+(A-Za-z0-9-+)”) of description of it)))) of records whose (event id of it = 538 AND time generated of it >(now-2*day)) of security event log

3 turns out to be pretty hard… I will need to think about a good approach…

Ben

(imported comment written by ajdyer200091)

Thanks Ben. I appreciate all your help.

(imported comment written by ajdyer200091)

Ben don’t knock yourself out. What you gave me is good enough. (Unless you likE a challenge.)