Trying to pull a username from a description.

Hi Brian, does this topic continue the thread https://www.quest.com/community/intrust/f/forum/31182/application-log-and-realtime-alert ?

OK, this can be done with regular expressions, you should write a regex for the String1. Since you did not provide any details, I will give you an example based on previous thread plus my guess-work. If we have two events:

An attempt was made to login under dom\flast. Access Denied. This user is inactive.
An attempt was made to login under dom\flast. Access Denied. This user account does not exist.

The example of the rule that "reads the user name" might be as follows:

<rule type="REL" version="1.0">
<arguments>
    <argument displayname="User Name Regexp" name="Key" class="Text" description="A regular expression for the user name to search in the Insertion String 1.">
    <value>".*\\s([a-zA-Z][a-zA-Z0-9\\-\\.]{1,61}[a-zA-Z]\\\\\\w[\\w\\.\\-]+)\\.\\s.*"</value>
    </argument>
</arguments>
<prefilter>
</prefilter>
<body>
    EventID = 0
    and set_alert_field("UserName", substr(String1, regexp(array(<parameter name="Key"/>), String1, "i")[1][0], regexp(array(<parameter name="Key"/>), String1, "i")[1][1]));
</body>
</rule>

The regex function returns an array of numbers, the index where regexp matched, and the length of the match, https://support.quest.com/technical-documents/intrust/11.4.1/customization-kit/7#String . Then indexes are used in substr function. My regexp is .*?\s([a-zA-Z][a-zA-Z0-9\-\.]{1,61}[a-zA-Z]\\\w[\w\.\-]+)\.\s.*, it searches for something that contains \ inside and ends with . Note that you should double all backslashes after you copy the regexp into the rule.

This definitely put me on the right track, thank you!

And the whole rule with threshold might look as follows. The only thing that is not good - this REL language cannot return the whole list of user names, the list is not accessible from outside. So, you can only see the last User who triggered the rule, the User Name is accessible by %UserName%.

<?xml version="1.0"?>
<rule type="REL" version="1.0">
<arguments>
<argument displayname="Time period" name="Time period" description="Time period in which the events occurred." class="DateTimeRange">
<value>"0/00/0 01:00:00"</value>
</argument>
<argument displayname="Threshold" name="Threshold" description="Events threshold. The rule will match if the number of events exceeds the threshold." class="Number">
<value>3</value>
</argument>
<argument displayname="Keys" name="Keys" class="List" description="A list of key phrases to search in the Insertion String 1.">
<value>"*AFTRAK: Access Denied. This user is inactive.*","*AFTRAK: Access Denied. This user account does not exist.*"</value>
</argument>
<argument displayname="User Name Regexp" name="Key" class="Text" description="A regular expression for the user name to search in the Insertion String 1.">
<value>".*Access Denied.*User Account: (.*)"</value>
</argument>
</arguments>
<prefilter>
EventID = 0;
</prefilter>
<body>
EventID = 0

and in(String1, "wi", array(<parameter name="Keys"/>))

and count(select_filtered(
EventID = 0 and in( String1, "wi", array(<parameter name="Keys"/>) ),
Z.EventID = 0 and in( Z.String1, "wi", array(<parameter name="Keys"/>) ) and substr(String1, regexp(array(<parameter name="Key"/>), String1, "i")[1][0], regexp(array(<parameter name="Key"/>), String1, "i")[1][1]) != substr(Z.String1, regexp(array(<parameter name="Key"/>), Z.String1, "i")[1][0], regexp(array(<parameter name="Key"/>), Z.String1, "i")[1][1]),
<parameter name="Time period"></parameter> ))
&gt;= <parameter name="Threshold"></parameter>

and empty(select_matches(
EventID = 0,
<parameter name="Time period"></parameter> ))

and set_alert_field("UserName", substr(String1, regexp(array(<parameter name="Key"/>), String1, "i")[1][0], regexp(array(<parameter name="Key"/>), String1, "i")[1][1]));
</body>
</rule>

Thank you very much!