Hey Thwack community -
How does the LEM interpret *$* when used in a rule or a query? I am in the process of working on fine tuning a rule for Admin Logon Failures after hours. It's pulling local admins as well as local users in general. I am essentially wanting ALL admin logon failures to show this would include locally and domain level Admins. So i am curious how to incorporate that and remove the unwanted monitoring of general user logon failures during those times.
Also - there are services running on my teams SQL databases and the login's are being logged as "\". I get a lot of these per night and was curious if anyone had experience getting these out of your logs for similar rules.