• State Verified Answer
  • Replies 4 replies
  • Subscribers 14 subscribers
  • Views 3332 views
  • Users 0 members are here
Options
Related

Exclude user from rule

benybb
over 3 years ago

Hello,

I wish to exclude/filter out a user from 2 specifics rules.

(because it caused a lot of False Alerts)

The user is: fortildap

The first rule is : 

Multiple failed logons by the same user.

There were 5 failed logons by user DOMAIN\fortildap from workstation DC-ADMIN2.

Alert was generated on computer p-upp1.domain.com

Alert was generated at Sun Jun 14 09:37:23 2020 (Sun Jun 14 06:37:23 2020 GMT).

The second rule is : 

Failed logon with account name DOMAIN\fortildap was performed from DC-ADMIN2. Unknown user name or bad password.  

Failed logon with account name DOMAIN\fortildap of Network type was performed from DC-ADMIN2 workstation at Sun Jun 14 13:25:33 2020 (Sun Jun 14 10:25:33 2020 GMT). Failure reason: Unknown user name or bad password.

.

Is this possible and how?

Thanks in advance

  • +1 over 3 years ago

    Multiple failed logons by the same user: Win XP conditions removed, Whitelisted Users parameter added, you can edit user names in the Parameters section on the Matching tab:

    <?xml version="1.0"?>
    <rule type="REL" version="1.0">
    <arguments>
    <argument displayname="Time period" name="Time period" description="Time period within which the events occurred." class="DateTimeRange">
    <value>"00:01:00"</value>
    </argument>
    <argument displayname="Threshold" name="Threshold" description="Events threshold." class="Number">
    <value>5</value>
    </argument>
    <argument displayname="Whitelisted Users" name="Whitelisted_Users" class="List" description="A list of users (sAMAccountNames) to exclude from monitoring.">
    <value>"fortildap"</value>
    </argument>
    </arguments>
    <prefilter>
    EventID = 4625;
    </prefilter>
    <body>
    count(select_filtered(
    EventID = 4625
    and ( striequ(Z.String8, "0xc000006d") and striequ(Z.String10, "0xc0000064") or
    striequ(Z.String8, "0xc000006d") and striequ(Z.String10, "0xc000006a") )
    and not striequ(String6, String14)
    and not(in(String6, "wi", array(<parameter name="Whitelisted_Users"/>))),
    striequ( Z.String6, String6 ) and striequ( Z.String7, String7 ),
    <parameter name="Time period"></parameter> ))
    &gt;= <parameter name="Threshold"></parameter>

    and empty(select_matches(
    striequ( Z[0].String6, String6 ) and striequ( Z[0].String7, String7 ),
    <parameter name="Time period"></parameter>
    ))

    and set_alert_field("_UsrName", String6, true)
    and set_alert_field("_UsrDomain", String7, true)
    and set_alert_field("_WorkStation", String14, true);
    </body>
    </rule>

     

  • 0 over 3 years ago in reply to Igor.Ilyin

    Thank you Igor -

    How can i do the same about the second rule that i mentioned : 

    Failed logon with account name DOMAIN\fortildap was performed from DC-ADMIN2. Unknown user name or bad password.

     

  • +1 over 3 years ago

    Failed logon with specific failure reason: Failure Reasons parameter contains only values you are interested in; Whitelisted Users parameter added, you can edit user names in the Parameters section on the Matching tab:

    <?xml version="1.0"?>
    <rule type="REL" version="1.0">
    <arguments>
    <argument displayname="Failure Reasons" name="FailureReasons" class="List" description="The list of failure reasons you are interested in; see the rule description.">
    <value>"0xc000006d,0xc0000064",
    "0xc000006e,0xc0000072"</value>
    </argument>
    <argument displayname="Whitelisted Users" name="Whitelisted_Users" class="List" description="A list of users (sAMAccountNames) to exclude from monitoring.">
    <value>"fortildap"</value>
    </argument></arguments>
    <prefilter>
    EventID = 4625;
    </prefilter>
    <body>
    EventID = 4625
    and 0 = (get_account_type( String7, String6 ) &amp; (UF_WORKSTATION_TRUST_ACCOUNT | UF_SERVER_TRUST_ACCOUNT) )
    and in(strcat(String8, ",", String10), "wi", array(<parameter name="FailureReasons"></parameter>))
    and not(in(String6, "wi", array(<parameter name="Whitelisted_Users"/>)))
    and set_alert_field("af_UsrName", String6, true)
    and set_alert_field("af_UsrDomain", String7, true)
    and set_alert_field("af_WorkStation", String14, true)
    and set_alert_field("af_LogonTypeCode", String11, true)
    and set_alert_field("af_LogonType", array("System","Dial-up","Interactive","Network","Batch","Service","Proxy","Unlock","Network Clear Text","New Credentials","Remote Interactive","Cached Interactive","Cached Remote Interactive","Cached Unlock")[number(String11)], true)
    and set_alert_field("af_FailureReason", String30, true);
    </body>
    </rule>

  • 0 over 3 years ago in reply to Igor.Ilyin

    It worked - thanks for everything...