(imported topic written by jeko1791)
I am new to Bigfix but picking up the Relevance fairly quickly. I’ve created an Analysis that will find all security log events of specific IDs (Logon Failure ID = 528, for example). That Event Log entry looks like this:
Logon Failure:
Reason: Unknown user name or bad password
User Name: jblack
Domain: AQRS104
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: AQRS104
Caller User Name: AQRS104$
Caller Domain: OURDOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 10252
Transited Services: -
Source Network Address: 192.168.40.25
Source Port: 1443
My current problem is that all the native event log inspectors will pull the information from the header of the log entry, but not the Description area. I’m trying to return the offending that’s failing logon on this system, so in this case “jblack”, even better would be <User Name>.
How could I extract that information from the Description text without pulling back the entire Description?