So I am attempting to send data to a custom field in Sentinel. Windows
logon/logoff events (4624 and 4634 respectively) the type of logon is
recorded in the event message (msg field in Sentinel). I want to be able
to send this logon type data to a custom field in Sentinel. I have
attempted Lucene queries using msg:"Logon Type :2" but that does not
seem to work when coupled with additional criteria like source user,
eventID, etc.

It was suggested elsewhere that I create a custom.js as I do not want to
go to the lengths of creating a new collector.


--
psmcgovern
------------------------------------------------------------------------
psmcgovern's Profile: https://forums.netiq.com/member.php?userid=5730
View this thread: https://forums.netiq.com/showthread.php?t=49087