Hi i'm not sure i understand what you wan't...
but if you wish to filter out in the receiver phase all of AD events that are done by the admin,
configure the filter with "contains string"
1- event id's that are associated to AD events.
but filtering out these events are really not a good idea....
if i understand correct, your asking what to do when you want to filter out a Variable and not a Static string. e,g, user that end with a dollar.
for that you will need to enter a REGEX in the PCRE box in the filter wizard.
again, i wouldn't recommend filtering out such data... but it's your choice.
@Pattarachai You are trying to remove computer accounts from correlation rules aren't you?
I see this as a common problem. I do not believe @David1111 solution will work in this particular case, otherwise it is the correct answer. Source User is an indexed string and does not support regex in the correlation rule editor. The only way I have found to overcome this is to change the windows parser (if you use WMI or something else, you will not be able to do this until you upgrade to v11.1???) and write the User into a field that supports regex.
Pattarachai was wondering about filteringout in the Receiver level.
and that you could accomplish by inserting a regex syntax in the PCRE field in the receiver \ filter wizard that checks in the entire packet for the matching REGEX.
if you want to filter out from correlation rules users that end with a dollar, the best solution (and i'm sure Brenta knows it ...) is to create a dynamic wathclist in the ESM and in the Correlation rule to configure "not in" - wathclist_x .
@David1111: Ahhh, thanks missed that.
You do really need to be careful when adding 'short filters'. By short filters I mean anything that matches on a small number of characters, as it is quite easy for a short sequence to appear in a packet or even be "placed" there by an attacker.
I do believe I have used the following regex before with success for filtering events containing machine names.
Filter Machine Names
Send Log to ELM
Stop processing filter rules
With that do keep in mind you should always run this against some historical data to ensure you are not erroneously filtering valid data. It also should ONLY be applied to Windows data sources.