Exclude user from rule

Question

Hello, 
 
 I wish to exclude/filter out a user from 2 specifics rules. 
 (because it caused a lot of False Alerts) 
 
 The user is: fortildap 
 
 The first rule is : 
 Multiple failed logons by the same user. 
 There were 5 failed logons by user DOMAIN\fortildap from workstation DC-ADMIN2. 
 Alert was generated on computer p-upp1.domain.com 
 Alert was generated at Sun Jun 14 09:37:23 2020 (Sun Jun 14 06:37:23 2020 GMT). 
 
 The second rule is : 
 Failed logon with account name DOMAIN \fortildap was performed from DC-ADMIN2. Unknown user name or bad password. 
 Failed logon with account name DOMAIN\fortildap of Network type was performed from DC-ADMIN2 workstation at Sun Jun 14 13:25:33 2020 (Sun Jun 14 10:25:33 2020 GMT). Failure reason: Unknown user name or bad password. 
 . 
 Is this possible and how? 
 Thanks in advance

Igor.Ilyin · Accepted Answer

Multiple failed logons by the same user: Win XP conditions removed, Whitelisted Users parameter added, you can edit user names in the Parameters section on the Matching tab: "00:01:00" 5 "fortildap" EventID = 4625; count(select_filtered( EventID = 4625 and ( striequ(Z.String8, "0xc000006d") and striequ(Z.String10, "0xc0000064") or striequ(Z.String8, "0xc000006d") and striequ(Z.String10, "0xc000006a") ) and not striequ(String6, String14) and not(in(String6, "wi", array())), striequ( Z.String6, String6 ) and striequ( Z.String7, String7 ), )) >= and empty(select_matches( striequ( Z[0].String6, String6 ) and striequ( Z[0].String7, String7 ), )) and set_alert_field("_UsrName", String6, true) and set_alert_field("_UsrDomain", String7, true) and set_alert_field("_WorkStation", String14, true);

Igor.Ilyin · Answer

Failed logon with specific failure reason: Failure Reasons parameter contains only values you are interested in; Whitelisted Users parameter added, you can edit user names in the Parameters section on the Matching tab:

<?xml version="1.0"?>
<rule type="REL" version="1.0">
<arguments>
<argument displayname="Failure Reasons" name="FailureReasons" class="List" description="The list of failure reasons you are interested in; see the rule description.">
<value>"0xc000006d,0xc0000064",
"0xc000006e,0xc0000072"</value>
</argument>
<argument displayname="Whitelisted Users" name="Whitelisted_Users" class="List" description="A list of users (sAMAccountNames) to exclude from monitoring.">
<value>"fortildap"</value>
</argument></arguments>
<prefilter>
EventID = 4625;
</prefilter>
<body>
EventID = 4625
and 0 = (get_account_type( String7, String6 ) & (UF_WORKSTATION_TRUST_ACCOUNT | UF_SERVER_TRUST_ACCOUNT) )
and in(strcat(String8, ",", String10), "wi", array(<parameter name="FailureReasons"></parameter>))
and not(in(String6, "wi", array(<parameter name="Whitelisted_Users"/>)))
and set_alert_field("af_UsrName", String6, true)
and set_alert_field("af_UsrDomain", String7, true)
and set_alert_field("af_WorkStation", String14, true)
and set_alert_field("af_LogonTypeCode", String11, true)
and set_alert_field("af_LogonType", array("System","Dial-up","Interactive","Network","Batch","Service","Proxy","Unlock","Network Clear Text","New Credentials","Remote Interactive","Cached Interactive","Cached Remote Interactive","Cached Unlock")[number(String11)], true)
and set_alert_field("af_FailureReason", String30, true);
</body>
</rule>

Exclude user from rule

Top Replies