I am getting multiple "logon", "logoff" and "Special Logon" events a second for at least half my assets where the username is the same as the asset name with a "$" character added at the end.
For instance, for a host named MY-AWESOME-HOST there are multiple logon events a second where the username is MY-AWESOME-HOST$. I would prefer not to have to create one suppression rule for every host where this happens so I though I'd use the "Assign or Equal" operator to suppress events where the destionation_name is LIKE the username. I have tried rules like this:
(packet_type == 'log' AND event_severity == 'INFO' AND (destination_username contains* [var_destination_name] OR source_username contains* [var_destination_name]) AND destination >> [var_destination])
But all that does is suppress ALL INFO Success events. The documentation on the assign or equal operator is VERY limited.
Where can I find suggestions on how to leverage variables in my rules?
Is anybody else facing similar issues where multiple logon events a second are sent to USM where the username is the same as the destination?