Regex not working | Computer Accounts

[John Carry]

Hello Wazuh Team,

I have created a regex to match and filter windows computer accounts as they have '$' sign  at their end due to the fact they normally are not worthy from security investigation point of view.

We are observing a high number of event id : 4672 that is "Special Privileges assigned to New logon" and we want to filter this event for computer accounts so that we can get rid of false-positives.

I have created below mentioned rule having regex but is not working, please be noted that I want to eliminate every event ID 4672 having mentioned username field as computer account.

The actual Rule Having Regex:

Parent Rule:

[Cedrick Foko]

Hello John. 

Thank you for using Wazuh.

Did you try the following regex instead?

  \.*\$$

If it doesn't work, kindly share with me some sample logs so I can analyze.

Let me know if you find this helpful.