Alert for attempt to use disable or nonexistent user

Hello everybody

I wish to create a custom alert for my client .

He needs an alert anytime someone attempt to use a disabled or nonexistent user ...

Any lead or idea for that one ?

Thanks in advance 

  • Hi benybb,

    Please try the following rule. It has a parameter called "Failure Reasons". For your use case after importing the rule, go to the rule matching parameters and remove all reasons but two, 0xc000006d,0xc0000064 and 0xc000006e,0xc0000072. The full list of reasons:

    0xc000006d,0xc0000064 - User logon with misspelled or bad user account
    0xc000006d,0xc000006a - User logon with misspelled or bad password
    0xc000006d,0xc0000133 - Clocks between DC and other computer too far out of sync
    0xc000006e,0xc000006f - User logon outside authorized hours
    0xc000006e,0xc0000070 - User logon from unauthorized workstation
    0xc000006e,0xc0000072 - User logon to account disabled by administrator
    0xc000015b,0x0 - The user has not been granted the requested logon type (aka logon right) at this machine
    0xc0000193,0x0 - User logon with expired account
    0xc0000224,0x0 - User is required to change password at next logon
    0xc0000192,0x0 - An attempt was made to logon, but the Netlogon service was not started
    0xc0000234,0x0 - User logon with account locked

    Failed logon with specific failure reason.xml
    <?xml version="1.0" encoding="utf-8" ?>
    
    <!--
    ==============================================================================
    
    Copyright 2018 Quest Software Inc. ALL RIGHTS RESERVED.
    
    $Workfile: Failed logon with specific failure reason.xml $
    $Revision: 0 $
    $Modtime: 6/3/2020 7:21:19 AM $
    
    ==============================================================================
    THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
    EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
    WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
    ==============================================================================
    -->
    
    <ITRTProcessingRule original_parent="\Configuration\Objects\{F81E88B8-5629-4698-AEB7-38731A4B1520}\RuleGroups\{6AF42AE4-B387-41CA-BFDB-4CA9FFC7749F}\ChildGroups\{7B0416B9-E52F-4040-8EFC-9CDB327BD4C6}\ChildGroups\{2BFCC2D1-43A4-49CE-BD70-CFD49FD22F92}\ChildGroups\{9AA7FC06-056F-49A7-9356-7BB9FABA71E0}\Rules">
    	<LimitEventsCount>10</LimitEventsCount>
    	<SuppressBySeverity>0</SuppressBySeverity>
    	<Description><![CDATA[This rule is matched when a failed logon attempt with a certain failure reason occurs on a workstation or server. Apply the rule to a site that contains all the computers you want to watch.
    To specify exactly which logon failure reasons you are interested in, configure the "Failure Reasons" parameter. It is a list that accepts the following values in any combination:
    0xc000006d,0xc0000064 - User logon with misspelled or bad user account
    0xc000006d,0xc000006a - User logon with misspelled or bad password
    0xc000006d,0xc0000133 - Clocks between DC and other computer too far out of sync
    0xc000006e,0xc000006f - User logon outside authorized hours
    0xc000006e,0xc0000070 - User logon from unauthorized workstation
    0xc000006e,0xc0000072 - User logon to account disabled by administrator
    0xc000015b,0x0 - The user has not been granted the requested logon type (aka logon right) at this machine
    0xc0000193,0x0 - User logon with expired account
    0xc0000224,0x0 - User is required to change password at next logon
    0xc0000192,0x0 - An attempt was made to logon, but the Netlogon service was not started
    0xc0000234,0x0 - User logon with account locked]]></Description>
    	<GenerateAlert>1</GenerateAlert>
    	<AlertInitialState>0</AlertInitialState>
    	<Name>Failed logon with specific failure reason</Name>
    	<Guid>{90DA1CB6-9F5B-4010-B564-CE6BA2DC802E}</Guid>
    	<MatchCondition>01000000770500003C003F0078006D006C002000760065007200730069006F006E003D00220031002E00300022003F003E000A003C00720075006C006500200074007900700065003D002200520045004C0022002000760065007200730069006F006E003D00220031002E00300022003E000A003C0061007200670075006D0065006E00740073003E000A0020002000200020003C0061007200670075006D0065006E007400200064006900730070006C00610079006E0061006D0065003D0022004600610069006C00750072006500200052006500610073006F006E007300220020006E0061006D0065003D0022004600610069006C0075007200650052006500610073006F006E0073002200200063006C006100730073003D0022004C00690073007400220020006400650073006300720069007000740069006F006E003D00220054006800650020006C0069007300740020006F00660020006600610069006C00750072006500200072006500610073006F006E007300200079006F0075002000610072006500200069006E0074006500720065007300740065006400200069006E003B00200073006500650020007400680065002000720075006C00650020006400650073006300720069007000740069006F006E002E0022003E000A00200020002000200020002000200020003C00760061006C00750065003E00220030007800630030003000300030003000360064002C00300078006300300030003000300030003600340022002C000A002000200020002000220030007800630030003000300030003000360064002C00300078006300300030003000300030003600610022002C000A002000200020002000220030007800630030003000300030003000360064002C00300078006300300030003000300031003300330022002C000A002000200020002000220030007800630030003000300030003000360065002C00300078006300300030003000300030003600660022002C000A002000200020002000220030007800630030003000300030003000360065002C00300078006300300030003000300030003700300022002C000A002000200020002000220030007800630030003000300030003000360065002C00300078006300300030003000300030003700320022002C000A002000200020002000220030007800630030003000300030003100390033002C0030007800300022002C000A002000200020002000220030007800630030003000300030003100350062002C0030007800300022002C000A002000200020002000220030007800630030003000300030003200320034002C0030007800300022002C000A002000200020002000220030007800630030003000300030003100390032002C0030007800300022002C000A002000200020002000220030007800630030003000300030003200330034002C0030007800300022003C002F00760061006C00750065003E000A0020002000200020003C002F0061007200670075006D0065006E0074003E000A003C002F0061007200670075006D0065006E00740073003E000A003C00700072006500660069006C007400650072003E000A000A004500760065006E0074004900440020003D00200034003600320035003B000A000A003C002F00700072006500660069006C007400650072003E000A003C0062006F00640079003E000A000A004500760065006E0074004900440020003D00200034003600320035000A0061006E0064002000300020003D00200028006700650074005F006100630063006F0075006E0074005F0074007900700065002800200053007400720069006E00670037002C00200053007400720069006E0067003600200029002000260061006D0070003B0020002800550046005F0057004F0052004B00530054004100540049004F004E005F00540052005500530054005F004100430043004F0055004E00540020007C002000550046005F005300450052005600450052005F00540052005500530054005F004100430043004F0055004E0054002900200029000A0061006E006400200069006E002800730074007200630061007400280053007400720069006E00670038002C00200022002C0022002C00200053007400720069006E0067003100300029002C00200022007700690022002C0020006100720072006100790028003C0070006100720061006D00650074006500720020006E0061006D0065003D0022004600610069006C0075007200650052006500610073006F006E00730022003E003C002F0070006100720061006D0065007400650072003E00290029000A0061006E00640020007300650074005F0061006C006500720074005F006600690065006C00640028002200610066005F005500730072004E0061006D00650022002C00200053007400720069006E00670036002C002000740072007500650029000A0061006E00640020007300650074005F0061006C006500720074005F006600690065006C00640028002200610066005F0055007300720044006F006D00610069006E0022002C00200053007400720069006E00670037002C002000740072007500650029000A0061006E00640020007300650074005F0061006C006500720074005F006600690065006C00640028002200610066005F0057006F0072006B00530074006100740069006F006E0022002C00200053007400720069006E006700310034002C002000740072007500650029000A0061006E00640020007300650074005F0061006C006500720074005F006600690065006C00640028002200610066005F004C006F0067006F006E00540079007000650043006F006400650022002C00200053007400720069006E006700310031002C002000740072007500650029000A0061006E00640020007300650074005F0061006C006500720074005F006600690065006C00640028002200610066005F004C006F0067006F006E00540079007000650022002C0020006100720072006100790028002200530079007300740065006D0022002C0022004400690061006C002D007500700022002C00220049006E0074006500720061006300740069007600650022002C0022004E006500740077006F0072006B0022002C0022004200610074006300680022002C002200530065007200760069006300650022002C002200500072006F007800790022002C00220055006E006C006F0063006B0022002C0022004E006500740077006F0072006B00200043006C006500610072002000540065007800740022002C0022004E00650077002000430072006500640065006E007400690061006C00730022002C002200520065006D006F0074006500200049006E0074006500720061006300740069007600650022002C002200430061006300680065006400200049006E0074006500720061006300740069007600650022002C0022004300610063006800650064002000520065006D006F0074006500200049006E0074006500720061006300740069007600650022002C002200430061006300680065006400200055006E006C006F0063006B00220029005B006E0075006D00620065007200280053007400720069006E0067003100310029005D002C002000740072007500650029000A0061006E00640020007300650074005F0061006C006500720074005F006600690065006C00640028002200610066005F004600610069006C0075007200650052006500610073006F006E0022002C00200053007400720069006E006700330030002C002000740072007500650029003B000A000A0009003C002F0062006F00640079003E000A003C002F00720075006C0065003E00</MatchCondition>
    	<AlertSeverity>48</AlertSeverity>
    	<Enabled>1</Enabled>
    	<SuppressByAlertCode>1</SuppressByAlertCode>
    	<Schedule>00000000000000000000000000000000000000000000000000000000</Schedule>
    	<VendorKnowledgeBase>0100000000000000</VendorKnowledgeBase>
    	<ConditionType>{E00EE0F1-B3DF-4122-89B4-738EF5EC1C52}</ConditionType>
    	<SuppressByName>0</SuppressByName>
    	<AlertSuppression>1</AlertSuppression>
    	<CustomerKnowledgeBase>0100000000000000</CustomerKnowledgeBase>
    	<Distribution></Distribution>
    	<AlertName>Failed logon with account name %User Domain%\%User Name% was performed from %Workstation Name%. %Failure Reason%</AlertName>
    	<SuppressByRuleID>0</SuppressByRuleID>
    	<DoNotSaveEvents>0</DoNotSaveEvents>
    	<SuppressByHostName>1</SuppressByHostName>
    	<Condition></Condition>
    	<AlertComment></AlertComment>
    	<FilterCondition>0100000000000000</FilterCondition>
    	<AlertDescription>Failed logon with account name %User Domain%\%User Name% of %Logon Type% type was performed from %Workstation Name% workstation at %_LocalTime% (%_GMT% GMT). Failure reason: %Failure Reason%.</AlertDescription>
    	<ScheduleEnabled>0</ScheduleEnabled>
    	<SuppressBySiteID>0</SuppressBySiteID>
    	<AlertAssignment></AlertAssignment>
    	<RuleDistribution>0</RuleDistribution>
    	<AlertCode>QS_AD_ATP_0151</AlertCode>
    	
    	<NotificationFormats>
    		<ITRTNotificationFormat>
    			<Guid>{4599C306-B6E1-4327-BF50-65FC207AC8A7}</Guid>
    			<ComposerTemplate>01000000AA8BE659673CD540820CF943473D1685B700000031000100250048006F00730074004E0061006D00650025000100320001002500520075006C0065004E0061006D00650025000100330001002500520075006C006500490064002500010034000100250061006C006500720074002E004E0061006D0065002500010035000100250061006C006500720074002E005300650076006500720069007400790043006F00640065002500010036000100250061006C006500720074002E00530065007600650072006900740079002500010037000100250061006C006500720074002E0041006C0065007200740043006F0064006500250001003800010025004400650073006300720069007000740069006F006E002500010039000100250041006C006500720074002E00540069006D006500470065006E006500720061007400650064004C006F00630061006C0025000100310030000100250041006C006500720074002E00540069006D006500470065006E006500720061007400650064002500</ComposerTemplate>
    			<ComposerId>{5EBCC3EF-6BFE-4A7A-AF9D-46F7D31470F6}</ComposerId>
    			<Enabled>1</Enabled>
    			<NotificationType>{976ACA10-0476-4288-A96E-BCC8D0A4D154}</NotificationType>
    			
    		</ITRTNotificationFormat>
    		<ITRTNotificationFormat>
    			<Guid>{3E1AEF48-B105-49F1-A865-BBB47DF32C21}</Guid>
    			<ComposerTemplate>01000000F834885B1C14B949960CC37CE508B1D02100000049006E005400720075007300740020002500530065007600650072006900740079002500200061006C0065007200740020002D00200025004E0061006D0065002500050000007500740066002D0038000902000025004400650073006300720069007000740069006F006E0025000A000A0041006C0065007200740020007700610073002000670065006E0065007200610074006500640020006F006E00200063006F006D00700075007400650072002000250048006F00730074004E0061006D00650025002E000A0041006C0065007200740020007700610073002000670065006E006500720061007400650064002000610074002000250041006C006500720074002E00540069006D006500470065006E006500720061007400650064004C006F00630061006C00250020002800250041006C006500720074002E00540069006D006500470065006E006500720061007400650064002500200047004D00540029002E000A000A0046006F007200200061006C00650072007400200069006E0066006F0072006D006100740069006F006E002C00200066006F006C006C006F007700200074006800650020006C0069006E006B00200074006F0020004D006F006E00690074006F00720069006E006700200043006F006E0073006F006C0065003A00200025006F007200670070006100720061006D003A005700450042004D004F004E00490054004F005200550052004C002500250061006C006500720074002E0061006C006500720074006900640025000A0046006F00720020006500760065006E007400200061006E0061006C0079007300690073002C00200066006F006C006C006F007700200074006800650020006C0069006E006B00200074006F0020004900540020005300650063007500720069007400790020005300650061007200630068003A00200025006F007200670070006100720061006D003A0049005400530065006100720063006800410064006400720065007300730025002F0023002F007300650061007200630068002F006500760065006E00740073003F0071003D004500760065006E00740049004400250025003300440025004500760065006E007400490044002500250025003200300041004E0044002500250032003000570068006F0025002500330044002500250032003200250053007400720069006E006700360025002500250032003200250025003200300041004E0044002500250032003000570068006F0044006F006D00610069006E0025002500330044002500250032003200250053007400720069006E006700370025002500250032003200250025003200300041004E004400250025003200300049006E00730065007200740069006F006E0053007400720069006E006700310031002500250033004400250053007400720069006E006700310031002500250025003200300041004E00440025002500320030005700680065007200650025002500330044002500250032003200250048006F00730074004E0061006D00650025002500250032003200</ComposerTemplate>
    			<ComposerId>{C40DBB2E-DF56-43AC-8392-EFB2D0DDCC5A}</ComposerId>
    			<Enabled>1</Enabled>
    			<NotificationType>{E01E93C2-938C-4BBD-88D9-0FD3B0E631E4}</NotificationType>
    			
    		</ITRTNotificationFormat>
    	</NotificationFormats>
    	<DataSources>
    		<ITRTRuleDataSource>
    			<Guid>{2093A8EC-18A3-46F9-86B2-F6FEAE619412}</Guid>
    			<DataSourceId>{A8CFC803-CDAD-47C5-B195-4C043A4F4BC7}</DataSourceId>
    			
    		</ITRTRuleDataSource>
    	</DataSources>
    	<ResponseActions>
    		<ITRTResponseAction>
    			<ProviderConfig>01000000260000007B00360042003600310030004600330034002D0032003700310044002D0034003400340046002D0039003600450033002D004500330030004300430041003900340045003800300036007D0002000000260000007B00340031004400420030004500390034002D0031004400310032002D0034004400360030002D0039004600440031002D003800350031004200370036003500440036004100440035007D000B0000002500550073006500720020004E0061006D0065002500260000007B00460045004600380046004200410038002D0041004200330044002D0034003900430039002D0038003200360031002D003300430042003700440045003500410041003400380033007D000D00000025005500730065007200200044006F006D00610069006E002500</ProviderConfig>
    			<Guid>{85895AC6-84E9-4195-9097-44BF02FFE052}</Guid>
    			<Timeout>0</Timeout>
    			<Distribution></Distribution>
    			<Enabled>0</Enabled>
    			<ProviderId>{E5D8E6C5-488A-42BF-B636-065E970F0067}</ProviderId>
    			<ExecutionOrder>0</ExecutionOrder>
    			<Destination>0</Destination>
    			
    		</ITRTResponseAction>
    		<ITRTResponseAction>
    			<ProviderConfig>010000000F0000003200350035002E003200350035002E003200350035002E00320035003500060000007000750062006C006900630001000000360003000000310030003000100000000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000001000000060F000000250061006C006500720074002E0041006C006500720074004900640025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000A000000060E000000250061006C006500720074002E00520075006C0065004900440025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000B0000000610000000250061006C006500720074002E00520075006C0065004E0061006D00650025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000C0000000610000000250061006C006500720074002E0048006F00730074004E0061006D00650025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000D0000000612000000250061006C006500720074002E005300650072007600650072004E0061006D00650025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000E0000000613000000250061006C006500720074002E00470065006E006500720061007400650064004F006E0025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000F0000000611000000250061006C006500720074002E0041006C0065007200740043006F006400650025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000020000000615000000250061006C006500720074002E00540069006D006500470065006E0065007200610074006500640025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000003000000061A000000250061006C006500720074002E00540069006D006500470065006E006500720061007400650064004C006F00630061006C0025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000004000000060D000000250061006C006500720074002E005300740061007400650025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000005000000060C000000250061006C006500720074002E004E0061006D00650025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000060000000613000000250061006C006500720074002E004400650073006300720069007000740069006F006E0025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000070000000610000000250061006C006500720074002E005300650076006500720069007400790025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000008000000060F000000250061006C006500720074002E0043006F006D006D0065006E00740025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000090000000612000000250061006C006500720074002E00410073007300690067006E006500640054006F0025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000010000000062700000025006F007200670070006100720061006D003A005700450042004D004F004E00490054004F005200550052004C002500250061006C006500720074002E0061006C00650072007400690064002500</ProviderConfig>
    			<Guid>{D8AC7C7F-DFEF-4F85-AA8A-B8A6F4CA10DB}</Guid>
    			<Timeout>0</Timeout>
    			<Distribution></Distribution>
    			<Enabled>0</Enabled>
    			<ProviderId>{C3DFC923-4037-4C1B-A652-77767EBAF710}</ProviderId>
    			<ExecutionOrder>1</ExecutionOrder>
    			<Destination>0</Destination>
    			
    		</ITRTResponseAction>
    	</ResponseActions>
    	<AlertFields>
    		<ITRTAlertField>
    			<Suppression>0</Suppression>
    			<Guid>{205C08DA-11D5-48C4-80EA-2414C669E447}</Guid>
    			<FieldValue>%af_LogonType%</FieldValue>
    			<FieldName>Logon Type</FieldName>
    			
    		</ITRTAlertField>
    		<ITRTAlertField>
    			<Suppression>0</Suppression>
    			<Guid>{DD12BE1F-36F9-47B0-8B71-46D661DD8B11}</Guid>
    			<FieldValue>%af_UsrDomain%</FieldValue>
    			<FieldName>User Domain</FieldName>
    			
    		</ITRTAlertField>
    		<ITRTAlertField>
    			<Suppression>1</Suppression>
    			<Guid>{2678C52D-F0CD-45C4-BA0B-C80842BD39E8}</Guid>
    			<FieldValue>%af_UsrName%</FieldValue>
    			<FieldName>User Name</FieldName>
    			
    		</ITRTAlertField>
    		<ITRTAlertField>
    			<Suppression>1</Suppression>
    			<Guid>{A50B3819-2719-4DCB-9A67-E5D2D9C33592}</Guid>
    			<FieldValue>%af_WorkStation%</FieldValue>
    			<FieldName>Workstation Name</FieldName>
    			
    		</ITRTAlertField>
    		<ITRTAlertField>
    			<Suppression>1</Suppression>
    			<Guid>{9AE52FAC-C1DA-4B5F-BE2E-EA82F338926D}</Guid>
    			<FieldValue>%af_FailureReason%</FieldValue>
    			<FieldName>Failure Reason</FieldName>
    			
    		</ITRTAlertField>
    	</AlertFields>
    </ITRTProcessingRule>
    

  • Worked like a charm.

    Thank you so much.