So I am attempting to send data to a custom field in Sentinel. Windows
logon/logoff events (4624 and 4634 respectively) the type of logon is
recorded in the event message (msg field in Sentinel). I want to be able
to send this logon type data to a custom field in Sentinel. I have
attempted Lucene queries using msg:"Logon Type :2" but that does not
seem to work when coupled with additional criteria like source user,
eventID, etc.

It was suggested elsewhere that I create a custom.js as I do not want to
go to the lengths of creating a new collector.

psmcgovern's Profile:
View this thread: