Hello. Is it possible to group by part of the message content of Windows events?
Basically I would like to group on a certain property (Image) which is located in the event message of a number of Sysmon events. I tried using regex to group by 'Image (.*)\s' but that did not work as below:
Might be worth mentioning – like isn't quite Regex. You seem to have a bit of a mix of regex and wildcard there – -like accepts '*' as a wildcard character. You could try using "-match '.*Image: (.*)\s*'", which may work?