• State Suggested Answer
  • Replies 14 replies
  • Answers 1 answer
  • Subscribers 14 subscribers
  • Views 8159 views
  • Users 0 members are here
Options
Related

Filter Out computer name in some Rules

benybb
over 3 years ago

Hello,

I wish to filter out the computer name in some rules.

The rules makes False alerts with the computer name as user name.

How exactely can i do that ?

Thanks in advance 

*********

Rule (I) : Member added to an administrative group


Member DOMAIN\JCT_Level_1_Support added to group Builtin\Administrators by DOMAIN\ELEC-403-111$.

Alert was generated on computer ELEC-403-111.DOMAIN.COM.

***************
Rule (I) : Change Password Attempt on Administrative Account


There was administrative account password change attempt by DOMAIN\LAU106-54-90$ user. Target account: LAU106-54-90\admin.

Alert was generated on computer LAU106-54-90.DOMAIN.COM.

****************
Rule (A) : User Account enabled by unauthorized personnel


Account T-LEC-9205\Ladmin enabled by DOMAIN\T-LEC-9205$.

Alert was generated on computer t-lec-9205.DOMAIN.COM

****************
Rule (A) : Multiple failed logons by the same user


There were 5 failed logons by user ADMIN\SAFECOM-LEV-ADM$ from workstation SAFECOM-LEV-ADM.

Alert was generated on computer p-baruch.DOMAIN.COM.

Parents
  • 0 over 3 years ago

    Hi Ben,

    Here the first rule goes, "Member added to an administrative group with account filtering".

    1. The old functionality about XP computers removed,
    2. Two new parameters added, "Consider Operator Computer Accounts" and "Consider Member Computer Accounts", these display names can be easily changed in Advanced rule editor,
    3. The alert name changed, now the email subject contains all the details,
    4. The email body changed, now it contains the link to the IT Security Search.

    To install the rule, right click on any rule folder, click "Import" and select the xml file.

  • 0 over 3 years ago in reply to Igor.Ilyin

    The previous version of the rule was not good enough, sometimes member account name equals to "-" in the events.

    Please use instead this one:

    8345.Member added to administrative group with account filtering.xml 
    <?xml version="1.0" encoding="utf-8" ?>

<!--
==============================================================================

Copyright 2020 Quest Software Inc. ALL RIGHTS RESERVED.

$Workfile: Member added to administrative group with account filtering.xml $
$Revision: 0 $
$Modtime: 7/1/2020 3:07:10 AM $

==============================================================================
THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
==============================================================================
-->

<ITRTProcessingRule original_parent="\Configuration\Objects\{F81E88B8-5629-4698-AEB7-38731A4B1520}\RuleGroups\{C54162A9-E4D0-4747-97A1-8B0FFF7E0B85}\Rules">
	<LimitEventsCount>10</LimitEventsCount>
	<SuppressBySeverity>0</SuppressBySeverity>
	<Description><![CDATA[This rule is matched when a member is added to an administrative group. The rule's parameter is Administrative Groups. When specifying the Administrative Groups, include the groups whose membership you want to monitor.
The rule disables the operator account and removes the added member from the group.]]></Description>
	<GenerateAlert>1</GenerateAlert>
	<AlertInitialState>0</AlertInitialState>
	<Name>Member added to administrative group, with account filtering</Name>
	<Guid>{FB3E6004-5C26-4060-B507-CD8913A59256}</Guid>
	<MatchCondition>01000000860800003C00720075006C006500200074007900700065003D002200520045004C0022002000760065007200730069006F006E003D00220031002E00300022003E000D000A003C0061007200670075006D0065006E00740073003E000D000A0020002000200020003C0061007200670075006D0065006E007400200064006900730070006C00610079006E0061006D0065003D002200470072006F007500700020004C00690073007400220020006E0061006D0065003D002200470072006F007500700020004C006900730074002200200063006C006100730073003D0022004C00690073007400220020006400650073006300720069007000740069006F006E003D002200410020006C0069007300740020006F0066002000610064006D0069006E006900730074007200610074006900760065002000670072006F00750070007300200069006E00200061006E0020006F007200670061006E0069007A006100740069006F006E0022003E000D000A00200020002000200020002000200020003C00760061006C00750065003E002200410064006D0069006E006900730074007200610074006F007200730022002C002000220044006F006D00610069006E002000410064006D0069006E00730022002C002000220045006E00740065007200700072006900730065002000410064006D0069006E00730022002C002000220053006300680065006D0061002000410064006D0069006E00730022002C00200022004100630063006F0075006E00740020004F00700065007200610074006F007200730022002C00200022004200610063006B007500700020004F00700065007200610074006F007200730022002C002000220053006500720076006500720020004F00700065007200610074006F007200730022003C002F00760061006C00750065003E000D000A0020002000200020003C002F0061007200670075006D0065006E0074003E000D000A0020002000200020003C0061007200670075006D0065006E007400200064006900730070006C00610079006E0061006D0065003D00220043006F006E007300690064006500720020004F00700065007200610074006F007200200043006F006D007000750074006500720020004100630063006F0075006E0074007300220020006E0061006D0065003D0022004F00700065007200610074006F00720043006F006D00700075007400650072004100630063006F0075006E0074007300220020006400650073006300720069007000740069006F006E003D002200300020002D0020006500780063006C0075006400650020006F00700065007200610074006F007200200063006F006D007000750074006500720020006100630063006F0075006E00740073002000660072006F006D00200063006F006E00730069006400650072006100740069006F006E002C002000310020002D00200063006F006E007300690064006500720020006F00700065007200610074006F007200200063006F006D007000750074006500720020006100630063006F0075006E00740073002E002200200063006C006100730073003D0022004E0075006D0062006500720022003E000D000A00200020002000200020002000200020003C00760061006C00750065003E0030003C002F00760061006C00750065003E000D000A0020002000200020003C002F0061007200670075006D0065006E0074003E000D000A0020002000200020003C0061007200670075006D0065006E007400200064006900730070006C00610079006E0061006D0065003D00220043006F006E007300690064006500720020004D0065006D00620065007200200043006F006D007000750074006500720020004100630063006F0075006E0074007300220020006E0061006D0065003D0022004D0065006D0062006500720043006F006D00700075007400650072004100630063006F0075006E0074007300220020006400650073006300720069007000740069006F006E003D002200300020002D0020006500780063006C0075006400650020006D0065006D00620065007200200063006F006D007000750074006500720020006100630063006F0075006E00740073002000660072006F006D00200063006F006E00730069006400650072006100740069006F006E002C002000310020002D00200063006F006E007300690064006500720020006D0065006D00620065007200200063006F006D007000750074006500720020006100630063006F0075006E00740073002E002200200063006C006100730073003D0022004E0075006D0062006500720022003E000D000A00200020002000200020002000200020003C00760061006C00750065003E0030003C002F00760061006C00750065003E000D000A0020002000200020003C002F0061007200670075006D0065006E0074003E000D000A003C002F0061007200670075006D0065006E00740073003E000D000A003C00700072006500660069006C007400650072003E000D000A000D000A004500760065006E0074004900440020003D002000340037003200380020006F00720020004500760065006E0074004900440020003D002000340037003300320020006F00720020004500760065006E0074004900440020003D00200034003700350036003B000D000A000D000A003C002F00700072006500660069006C007400650072003E000D000A003C0062006F00640079003E000D000A000D000A0064006500660020007300650074004D0065006D004100630063006F0075006E00740028007300740072004E00290020003A003D000D000A007B000D000A0020002000200020007300650074005F0061006C006500720074005F006600690065006C006400280022004D0065006D004100630063006F0075006E00740022002C0020007300740072004E002C002000740072007500650029000D000A007D000D000A000D000A006400650066002000760061006C006900640061007400650043006F006D00700075007400650072004100630063006F0075006E007400280070006100720061006D002C0020007300740072004E00290020003A003D000D000A007B000D000A0020002000200020006E006F007400280070006100720061006D0020003D0020003000200061006E0064002000730075006200730074007200280020007300740072004E002C0020007300740072006C0065006E0028007300740072004E00290020002D00200031002C00200031002000290020003D00200022002400220029000D000A007D000D000A000D000A006400650066002000660069006E00640044006F006D00610069006E004E0061006D00650053006C00610073006800530061006D004100630063006F0075006E0074004E0061006D00650028007300740072004E002C007300740072004E004E00290020003A003D000D000A007B000D000A002000200020002000630068006F006F00730065002800280073007400720073007400720028007300740072004E002C0022005C005C0022002900200021003D0020002D00310029002C000D000A0020002000200020002000200020002000200020002000760061006C006900640061007400650043006F006D00700075007400650072004100630063006F0075006E00740028003C0070006100720061006D00650074006500720020006E0061006D0065003D0022004D0065006D0062006500720043006F006D00700075007400650072004100630063006F0075006E007400730022003E003C002F0070006100720061006D0065007400650072003E002C0020007300740072004E002900200061006E00640020007300650074004D0065006D004100630063006F0075006E00740028007300740072004E0029002C000D000A0020002000200020002000200020002000200020002000280073007400720073007400720028007300740072004E004E002C0022005C005C0022002900200021003D0020002D0031002900200061006E0064002000760061006C006900640061007400650043006F006D00700075007400650072004100630063006F0075006E00740028003C0070006100720061006D00650074006500720020006E0061006D0065003D0022004D0065006D0062006500720043006F006D00700075007400650072004100630063006F0075006E007400730022003E003C002F0070006100720061006D0065007400650072003E002C0020007300740072004E004E002900200061006E00640020007300650074004D0065006D004100630063006F0075006E00740028007300740072004E004E0029000D000A00200020002000200020002000200020002000200029000D000A007D000D000A000D000A0028004500760065006E0074004900440020003D002000340037003200380020006F00720020004500760065006E0074004900440020003D002000340037003300320020006F00720020004500760065006E0074004900440020003D002000340037003500360029000D000A0061006E006400200069006E002800200053007400720069006E00670033002C00200022007700690022002C0020006100720072006100790028003C0070006100720061006D00650074006500720020006E0061006D0065003D002200470072006F007500700020004C0069007300740022002F003E002900200029000D000A0061006E0064002000760061006C006900640061007400650043006F006D00700075007400650072004100630063006F0075006E00740028003C0070006100720061006D00650074006500720020006E0061006D0065003D0022004F00700065007200610074006F00720043006F006D00700075007400650072004100630063006F0075006E007400730022003E003C002F0070006100720061006D0065007400650072003E002C00200053007400720069006E006700370029000D000A0061006E0064002000760061006C006900640061007400650043006F006D00700075007400650072004100630063006F0075006E00740028003C0070006100720061006D00650074006500720020006E0061006D0065003D0022004D0065006D0062006500720043006F006D00700075007400650072004100630063006F0075006E007400730022003E003C002F0070006100720061006D0065007400650072003E002C00200053007400720069006E006700310029000D000A0061006E0064002000660069006E00640044006F006D00610069006E004E0061006D00650053006C00610073006800530061006D004100630063006F0075006E0074004E0061006D006500280053007400720069006E006700310032002C0053007400720069006E0067003100330029000D000A0061006E00640020007300650074005F0061006C006500720074005F006600690065006C006400280022004F00700065007200610074006F0072004E0061006D00650022002C00200053007400720069006E00670037002C002000740072007500650029000D000A0061006E00640020007300650074005F0061006C006500720074005F006600690065006C006400280022004F00700065007200610074006F00720044006F006D00610069006E0022002C00200053007400720069006E00670038002C002000740072007500650029000D000A0061006E00640020007300650074005F0061006C006500720074005F006600690065006C006400280022005400610072006700650074004E0061006D00650022002C00200053007400720069006E00670033002C002000740072007500650029000D000A0061006E00640020007300650074005F0061006C006500720074005F006600690065006C0064002800220054006100720067006500740044006F006D00610069006E0022002C00200053007400720069006E00670034002C002000740072007500650029003B000D000A000D000A003C002F0062006F00640079003E000D000A003C002F00720075006C0065003E000D000A00</MatchCondition>
	<AlertSeverity>32</AlertSeverity>
	<Enabled>1</Enabled>
	<SuppressByAlertCode>0</SuppressByAlertCode>
	<Schedule>00000000000000000000000000000000000000000000000000000000</Schedule>
	<VendorKnowledgeBase>01000000B70000004100640064006900740069006F006E0020006F0066002000610020006D0065006D00620065007200200074006F00200061006E002000610064006D0069006E006900730074007200610074006900760065002000670072006F0075007000200072006500730075006C0074007300200069006E00200065007800740065006E0073006900760065002000700072006900760069006C006500670065007300200066006F0072002000740068006900730020006D0065006D006200650072002E00200049006E00200073007500630068002000630061007300650073002C00200074006800650020006D006F007400690076006100740069006F006E00200066006F007200200065006C00650076006100740069006E006700200074006800650020006100660066006500630074006500640020007500730065007200730027002000700072006900760069006C006500670065007300200069007300200075006E006B006E006F0077006E002E00</VendorKnowledgeBase>
	<ConditionType>{E00EE0F1-B3DF-4122-89B4-738EF5EC1C52}</ConditionType>
	<SuppressByName>0</SuppressByName>
	<AlertSuppression>0</AlertSuppression>
	<CustomerKnowledgeBase>0100000000000000</CustomerKnowledgeBase>
	<Distribution></Distribution>
	<AlertName>Member %Member Account% added to group %Target Group Domain%\%Target Group Name% by %Operator Account Domain%\%Operator Account Name%.</AlertName>
	<SuppressByRuleID>0</SuppressByRuleID>
	<DoNotSaveEvents>0</DoNotSaveEvents>
	<SuppressByHostName>0</SuppressByHostName>
	<Condition></Condition>
	<AlertComment></AlertComment>
	<FilterCondition>0100000000000000</FilterCondition>
	<AlertDescription></AlertDescription>
	<ScheduleEnabled>0</ScheduleEnabled>
	<SuppressBySiteID>0</SuppressBySiteID>
	<AlertAssignment></AlertAssignment>
	<RuleDistribution>0</RuleDistribution>
	<AlertCode>AE_AD_SEC_0028 (2)</AlertCode>
	
	<NotificationFormats>
		<ITRTNotificationFormat>
			<Guid>{41BA4430-8158-439F-84CA-C3C3DF91F5D2}</Guid>
			<ComposerTemplate>01000000F834885B1C14B949960CC37CE508B1D02100000049006E005400720075007300740020002500530065007600650072006900740079002500200061006C0065007200740020002D00200025004E0061006D0065002500050000007500740066002D003800ED01000025004400650073006300720069007000740069006F006E0025000D000A000A000A0041006C0065007200740020007700610073002000670065006E0065007200610074006500640020006F006E00200063006F006D00700075007400650072002000250041006C006500720074002E0048006F00730074004E0061006D00650025002E000A0041006C0065007200740020007700610073002000670065006E006500720061007400650064002000610074002000250041006C006500720074002E00540069006D006500470065006E006500720061007400650064004C006F00630061006C00250020002800250041006C006500720074002E00540069006D006500470065006E006500720061007400650064002500200047004D00540029002E000D000A000A000A0046006F007200200061006C00650072007400200069006E0066006F0072006D006100740069006F006E002C00200066006F006C006C006F007700200074006800650020006C0069006E006B00200074006F0020004D006F006E00690074006F00720069006E006700200043006F006E0073006F006C0065003A00200025006F007200670070006100720061006D003A005700450042004D004F004E00490054004F005200550052004C002500250061006C006500720074002E0061006C006500720074006900640025000D000A000A0046006F00720020006500760065006E007400200061006E0061006C0079007300690073002C00200066006F006C006C006F007700200074006800650020006C0069006E006B00200074006F0020004900540020005300650063007500720069007400790020005300650061007200630068003A002000220025006F007200670070006100720061006D003A0049005400530065006100720063006800410064006400720065007300730025002F0023002F007300650061007200630068002F006500760065006E00740073003F0071003D004500760065006E00740049004400250025003300440025004500760065006E007400490044002500250025003200300041004E004400250025003200300049006E00730065007200740069006F006E0053007400720069006E006700330025002500330044002500250032003200250053007400720069006E006700330025002500250032003200250025003200300041004E0044002500250032003000570068006F00250025003300440025002500320032002500570068006F0025002500250032003200250025003200300041004E00440025002500320030005700680065007200650025002500330044002500250032003200250057006800650072006500250025002500320032002200</ComposerTemplate>
			<ComposerId>{C40DBB2E-DF56-43AC-8392-EFB2D0DDCC5A}</ComposerId>
			<Enabled>1</Enabled>
			<NotificationType>{E01E93C2-938C-4BBD-88D9-0FD3B0E631E4}</NotificationType>
			
		</ITRTNotificationFormat>
		<ITRTNotificationFormat>
			<Guid>{3ACB93F9-3633-4726-9732-F3EB5A1DF7E0}</Guid>
			<ComposerTemplate>01000000F834885B1C14B949960CC37CE508B1D02200000049006E005400720075007300740020002500530065007600650072006900740079002500200061006C0065007200740020002D00200025004E0061006D00650025002E00050000007500740066002D003800DB00000025004400650073006300720069007000740069006F006E0025000A000A0041006C0065007200740020007700610073002000670065006E0065007200610074006500640020006F006E00200063006F006D00700075007400650072002000250048006F00730074004E0061006D00650025002E000A0041006C0065007200740020007700610073002000670065006E006500720061007400650064002000610074002000250041006C006500720074002E00540069006D006500470065006E006500720061007400650064004C006F00630061006C00250020002800250041006C006500720074002E00540069006D006500470065006E006500720061007400650064002500200047004D00540029002E000A000A0046006F00720020006D006F0072006500200069006E0066006F0072006D006100740069006F006E002C00200066006F006C006C006F0077002000740068006900730020006C0069006E006B003A00200025006F007200670070006100720061006D003A005700450042004D004F004E00490054004F005200550052004C002500250061006C006500720074002E0061006C006500720074006900640025002E00</ComposerTemplate>
			<ComposerId>{C40DBB2E-DF56-43AC-8392-EFB2D0DDCC5A}</ComposerId>
			<Enabled>0</Enabled>
			<NotificationType>{ECEB8D7E-04D9-49F6-8B38-EB90C97AC523}</NotificationType>
			
		</ITRTNotificationFormat>
	</NotificationFormats>
	<DataSources>
		<ITRTRuleDataSource>
			<Guid>{E2E12BEA-3753-402B-A995-35516AF229F9}</Guid>
			<DataSourceId>{A8CFC803-CDAD-47C5-B195-4C043A4F4BC7}</DataSourceId>
			
		</ITRTRuleDataSource>
	</DataSources>
	<ResponseActions>
		<ITRTResponseAction>
			<ProviderConfig>01000000260000007B00360042003600310030004600330034002D0032003700310044002D0034003400340046002D0039003600450033002D004500330030004300430041003900340045003800300036007D0002000000260000007B00340031004400420030004500390034002D0031004400310032002D0034004400360030002D0039004600440031002D003800350031004200370036003500440036004100440035007D001700000025004F00700065007200610074006F00720020004100630063006F0075006E00740020004E0061006D0065002500260000007B00460045004600380046004200410038002D0041004200330044002D0034003900430039002D0038003200360031002D003300430042003700440045003500410041003400380033007D001900000025004F00700065007200610074006F00720020004100630063006F0075006E007400200044006F006D00610069006E002500</ProviderConfig>
			<Guid>{1C152F0B-0AB4-4CB9-AE03-4AF867BD7AF3}</Guid>
			<Timeout>0</Timeout>
			<Distribution></Distribution>
			<Enabled>0</Enabled>
			<ProviderId>{E5D8E6C5-488A-42BF-B636-065E970F0067}</ProviderId>
			<ExecutionOrder>0</ExecutionOrder>
			<Destination>0</Destination>
			
		</ITRTResponseAction>
		<ITRTResponseAction>
			<ProviderConfig>01000000260000007B00310044004100370045004100310039002D0036003700410039002D0034004300340045002D0041003800350030002D003200380043004600390044004500360031003600450039007D0004000000260000007B00310044003500380038004100310046002D0031003200310035002D0034003800350031002D0042003200360036002D004600330035003200330032003000360045003000310043007D000A000000250043006F006D00700075007400650072002500260000007B00360046004400410044003200390044002D0046003300310044002D0034004100330031002D0042003800320035002D004400430046004300380041003500310037003900310031007D0010000000250043006F006D007000750074006500720044006F006D00610069006E002500260000007B00410033003200380046004300310030002D0041003500330038002D0034003000410032002D0039003800380031002D004300350032003500420033003500370038004200410033007D002900000025005400610072006700650074002000470072006F0075007000200044006F006D00610069006E0025005C0025005400610072006700650074002000470072006F007500700020004E0061006D0065002500260000007B00430038004600310045003900390037002D0030003000420042002D0034004300380035002D0041004100310035002D004500350037003600460036003200430044004200300041007D001000000025004D0065006D0062006500720020004100630063006F0075006E0074002500</ProviderConfig>
			<Guid>{9B183A3A-D697-439A-B863-730B7A8058DB}</Guid>
			<Timeout>0</Timeout>
			<Distribution></Distribution>
			<Enabled>0</Enabled>
			<ProviderId>{E5D8E6C5-488A-42BF-B636-065E970F0067}</ProviderId>
			<ExecutionOrder>1</ExecutionOrder>
			<Destination>0</Destination>
			
		</ITRTResponseAction>
		<ITRTResponseAction>
			<ProviderConfig>010000000F0000003200350035002E003200350035002E003200350035002E00320035003500060000007000750062006C006900630001000000360003000000310030003000100000000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000001000000060F000000250061006C006500720074002E0041006C006500720074004900640025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000A000000060E000000250061006C006500720074002E00520075006C0065004900440025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000B0000000610000000250061006C006500720074002E00520075006C0065004E0061006D00650025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000C0000000610000000250061006C006500720074002E0048006F00730074004E0061006D00650025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000D0000000612000000250061006C006500720074002E005300650072007600650072004E0061006D00650025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000E0000000613000000250061006C006500720074002E00470065006E006500720061007400650064004F006E0025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000F0000000611000000250061006C006500720074002E0041006C0065007200740043006F006400650025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000020000000615000000250061006C006500720074002E00540069006D006500470065006E0065007200610074006500640025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000003000000061A000000250061006C006500720074002E00540069006D006500470065006E006500720061007400650064004C006F00630061006C0025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000004000000060D000000250061006C006500720074002E005300740061007400650025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000005000000060C000000250061006C006500720074002E004E0061006D00650025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000060000000613000000250061006C006500720074002E004400650073006300720069007000740069006F006E0025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000070000000610000000250061006C006500720074002E005300650076006500720069007400790025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000008000000060F000000250061006C006500720074002E0043006F006D006D0065006E00740025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000090000000612000000250061006C006500720074002E00410073007300690067006E006500640054006F0025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000010000000062700000025006F007200670070006100720061006D003A005700450042004D004F004E00490054004F005200550052004C002500250061006C006500720074002E0061006C00650072007400690064002500</ProviderConfig>
			<Guid>{98A68F27-D1BC-4D30-87B0-B6204005264B}</Guid>
			<Timeout>0</Timeout>
			<Distribution></Distribution>
			<Enabled>0</Enabled>
			<ProviderId>{C3DFC923-4037-4C1B-A652-77767EBAF710}</ProviderId>
			<ExecutionOrder>2</ExecutionOrder>
			<Destination>0</Destination>
			
		</ITRTResponseAction>
	</ResponseActions>
	<AlertFields>
		<ITRTAlertField>
			<Suppression>0</Suppression>
			<Guid>{05AB5691-6EB3-4BF2-B4F0-0A99ACBD223A}</Guid>
			<FieldValue>%MemAccount%</FieldValue>
			<FieldName>Member Account</FieldName>
			
		</ITRTAlertField>
		<ITRTAlertField>
			<Suppression>0</Suppression>
			<Guid>{200CBEE9-4D91-466F-84EC-42BC84F87591}</Guid>
			<FieldValue>%TargetName%</FieldValue>
			<FieldName>Target Group Name</FieldName>
			
		</ITRTAlertField>
		<ITRTAlertField>
			<Suppression>0</Suppression>
			<Guid>{F124999B-FAE9-4603-9DE3-67DD1D1E07EB}</Guid>
			<FieldValue>%OperatorName%</FieldValue>
			<FieldName>Operator Account Name</FieldName>
			
		</ITRTAlertField>
		<ITRTAlertField>
			<Suppression>0</Suppression>
			<Guid>{834F808A-C392-40C4-83F4-A757E98F8A72}</Guid>
			<FieldValue>%OperatorDomain%</FieldValue>
			<FieldName>Operator Account Domain</FieldName>
			
		</ITRTAlertField>
		<ITRTAlertField>
			<Suppression>0</Suppression>
			<Guid>{8DEDEF63-4B24-4AC2-81C1-CB29C2930B2E}</Guid>
			<FieldValue>%TargetDomain%</FieldValue>
			<FieldName>Target Group Domain</FieldName>
			
		</ITRTAlertField>
	</AlertFields>
</ITRTProcessingRule>

Reply
  • 0 over 3 years ago in reply to Igor.Ilyin

    The previous version of the rule was not good enough, sometimes member account name equals to "-" in the events.

    Please use instead this one:

    8345.Member added to administrative group with account filtering.xml 
    <?xml version="1.0" encoding="utf-8" ?>

<!--
==============================================================================

Copyright 2020 Quest Software Inc. ALL RIGHTS RESERVED.

$Workfile: Member added to administrative group with account filtering.xml $
$Revision: 0 $
$Modtime: 7/1/2020 3:07:10 AM $

==============================================================================
THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
==============================================================================
-->

<ITRTProcessingRule original_parent="\Configuration\Objects\{F81E88B8-5629-4698-AEB7-38731A4B1520}\RuleGroups\{C54162A9-E4D0-4747-97A1-8B0FFF7E0B85}\Rules">
	<LimitEventsCount>10</LimitEventsCount>
	<SuppressBySeverity>0</SuppressBySeverity>
	<Description><![CDATA[This rule is matched when a member is added to an administrative group. The rule's parameter is Administrative Groups. When specifying the Administrative Groups, include the groups whose membership you want to monitor.
The rule disables the operator account and removes the added member from the group.]]></Description>
	<GenerateAlert>1</GenerateAlert>
	<AlertInitialState>0</AlertInitialState>
	<Name>Member added to administrative group, with account filtering</Name>
	<Guid>{FB3E6004-5C26-4060-B507-CD8913A59256}</Guid>
	<MatchCondition>01000000860800003C00720075006C006500200074007900700065003D002200520045004C0022002000760065007200730069006F006E003D00220031002E00300022003E000D000A003C0061007200670075006D0065006E00740073003E000D000A0020002000200020003C0061007200670075006D0065006E007400200064006900730070006C00610079006E0061006D0065003D002200470072006F007500700020004C00690073007400220020006E0061006D0065003D002200470072006F007500700020004C006900730074002200200063006C006100730073003D0022004C00690073007400220020006400650073006300720069007000740069006F006E003D002200410020006C0069007300740020006F0066002000610064006D0069006E006900730074007200610074006900760065002000670072006F00750070007300200069006E00200061006E0020006F007200670061006E0069007A006100740069006F006E0022003E000D000A00200020002000200020002000200020003C00760061006C00750065003E002200410064006D0069006E006900730074007200610074006F007200730022002C002000220044006F006D00610069006E002000410064006D0069006E00730022002C002000220045006E00740065007200700072006900730065002000410064006D0069006E00730022002C002000220053006300680065006D0061002000410064006D0069006E00730022002C00200022004100630063006F0075006E00740020004F00700065007200610074006F007200730022002C00200022004200610063006B007500700020004F00700065007200610074006F007200730022002C002000220053006500720076006500720020004F00700065007200610074006F007200730022003C002F00760061006C00750065003E000D000A0020002000200020003C002F0061007200670075006D0065006E0074003E000D000A0020002000200020003C0061007200670075006D0065006E007400200064006900730070006C00610079006E0061006D0065003D00220043006F006E007300690064006500720020004F00700065007200610074006F007200200043006F006D007000750074006500720020004100630063006F0075006E0074007300220020006E0061006D0065003D0022004F00700065007200610074006F00720043006F006D00700075007400650072004100630063006F0075006E0074007300220020006400650073006300720069007000740069006F006E003D002200300020002D0020006500780063006C0075006400650020006F00700065007200610074006F007200200063006F006D007000750074006500720020006100630063006F0075006E00740073002000660072006F006D00200063006F006E00730069006400650072006100740069006F006E002C002000310020002D00200063006F006E007300690064006500720020006F00700065007200610074006F007200200063006F006D007000750074006500720020006100630063006F0075006E00740073002E002200200063006C006100730073003D0022004E0075006D0062006500720022003E000D000A00200020002000200020002000200020003C00760061006C00750065003E0030003C002F00760061006C00750065003E000D000A0020002000200020003C002F0061007200670075006D0065006E0074003E000D000A0020002000200020003C0061007200670075006D0065006E007400200064006900730070006C00610079006E0061006D0065003D00220043006F006E007300690064006500720020004D0065006D00620065007200200043006F006D007000750074006500720020004100630063006F0075006E0074007300220020006E0061006D0065003D0022004D0065006D0062006500720043006F006D00700075007400650072004100630063006F0075006E0074007300220020006400650073006300720069007000740069006F006E003D002200300020002D0020006500780063006C0075006400650020006D0065006D00620065007200200063006F006D007000750074006500720020006100630063006F0075006E00740073002000660072006F006D00200063006F006E00730069006400650072006100740069006F006E002C002000310020002D00200063006F006E007300690064006500720020006D0065006D00620065007200200063006F006D007000750074006500720020006100630063006F0075006E00740073002E002200200063006C006100730073003D0022004E0075006D0062006500720022003E000D000A00200020002000200020002000200020003C00760061006C00750065003E0030003C002F00760061006C00750065003E000D000A0020002000200020003C002F0061007200670075006D0065006E0074003E000D000A003C002F0061007200670075006D0065006E00740073003E000D000A003C00700072006500660069006C007400650072003E000D000A000D000A004500760065006E0074004900440020003D002000340037003200380020006F00720020004500760065006E0074004900440020003D002000340037003300320020006F00720020004500760065006E0074004900440020003D00200034003700350036003B000D000A000D000A003C002F00700072006500660069006C007400650072003E000D000A003C0062006F00640079003E000D000A000D000A0064006500660020007300650074004D0065006D004100630063006F0075006E00740028007300740072004E00290020003A003D000D000A007B000D000A0020002000200020007300650074005F0061006C006500720074005F006600690065006C006400280022004D0065006D004100630063006F0075006E00740022002C0020007300740072004E002C002000740072007500650029000D000A007D000D000A000D000A006400650066002000760061006C006900640061007400650043006F006D00700075007400650072004100630063006F0075006E007400280070006100720061006D002C0020007300740072004E00290020003A003D000D000A007B000D000A0020002000200020006E006F007400280070006100720061006D0020003D0020003000200061006E0064002000730075006200730074007200280020007300740072004E002C0020007300740072006C0065006E0028007300740072004E00290020002D00200031002C00200031002000290020003D00200022002400220029000D000A007D000D000A000D000A006400650066002000660069006E00640044006F006D00610069006E004E0061006D00650053006C00610073006800530061006D004100630063006F0075006E0074004E0061006D00650028007300740072004E002C007300740072004E004E00290020003A003D000D000A007B000D000A002000200020002000630068006F006F00730065002800280073007400720073007400720028007300740072004E002C0022005C005C0022002900200021003D0020002D00310029002C000D000A0020002000200020002000200020002000200020002000760061006C006900640061007400650043006F006D00700075007400650072004100630063006F0075006E00740028003C0070006100720061006D00650074006500720020006E0061006D0065003D0022004D0065006D0062006500720043006F006D00700075007400650072004100630063006F0075006E007400730022003E003C002F0070006100720061006D0065007400650072003E002C0020007300740072004E002900200061006E00640020007300650074004D0065006D004100630063006F0075006E00740028007300740072004E0029002C000D000A0020002000200020002000200020002000200020002000280073007400720073007400720028007300740072004E004E002C0022005C005C0022002900200021003D0020002D0031002900200061006E0064002000760061006C006900640061007400650043006F006D00700075007400650072004100630063006F0075006E00740028003C0070006100720061006D00650074006500720020006E0061006D0065003D0022004D0065006D0062006500720043006F006D00700075007400650072004100630063006F0075006E007400730022003E003C002F0070006100720061006D0065007400650072003E002C0020007300740072004E004E002900200061006E00640020007300650074004D0065006D004100630063006F0075006E00740028007300740072004E004E0029000D000A00200020002000200020002000200020002000200029000D000A007D000D000A000D000A0028004500760065006E0074004900440020003D002000340037003200380020006F00720020004500760065006E0074004900440020003D002000340037003300320020006F00720020004500760065006E0074004900440020003D002000340037003500360029000D000A0061006E006400200069006E002800200053007400720069006E00670033002C00200022007700690022002C0020006100720072006100790028003C0070006100720061006D00650074006500720020006E0061006D0065003D002200470072006F007500700020004C0069007300740022002F003E002900200029000D000A0061006E0064002000760061006C006900640061007400650043006F006D00700075007400650072004100630063006F0075006E00740028003C0070006100720061006D00650074006500720020006E0061006D0065003D0022004F00700065007200610074006F00720043006F006D00700075007400650072004100630063006F0075006E007400730022003E003C002F0070006100720061006D0065007400650072003E002C00200053007400720069006E006700370029000D000A0061006E0064002000760061006C006900640061007400650043006F006D00700075007400650072004100630063006F0075006E00740028003C0070006100720061006D00650074006500720020006E0061006D0065003D0022004D0065006D0062006500720043006F006D00700075007400650072004100630063006F0075006E007400730022003E003C002F0070006100720061006D0065007400650072003E002C00200053007400720069006E006700310029000D000A0061006E0064002000660069006E00640044006F006D00610069006E004E0061006D00650053006C00610073006800530061006D004100630063006F0075006E0074004E0061006D006500280053007400720069006E006700310032002C0053007400720069006E0067003100330029000D000A0061006E00640020007300650074005F0061006C006500720074005F006600690065006C006400280022004F00700065007200610074006F0072004E0061006D00650022002C00200053007400720069006E00670037002C002000740072007500650029000D000A0061006E00640020007300650074005F0061006C006500720074005F006600690065006C006400280022004F00700065007200610074006F00720044006F006D00610069006E0022002C00200053007400720069006E00670038002C002000740072007500650029000D000A0061006E00640020007300650074005F0061006C006500720074005F006600690065006C006400280022005400610072006700650074004E0061006D00650022002C00200053007400720069006E00670033002C002000740072007500650029000D000A0061006E00640020007300650074005F0061006C006500720074005F006600690065006C0064002800220054006100720067006500740044006F006D00610069006E0022002C00200053007400720069006E00670034002C002000740072007500650029003B000D000A000D000A003C002F0062006F00640079003E000D000A003C002F00720075006C0065003E000D000A00</MatchCondition>
	<AlertSeverity>32</AlertSeverity>
	<Enabled>1</Enabled>
	<SuppressByAlertCode>0</SuppressByAlertCode>
	<Schedule>00000000000000000000000000000000000000000000000000000000</Schedule>
	<VendorKnowledgeBase>01000000B70000004100640064006900740069006F006E0020006F0066002000610020006D0065006D00620065007200200074006F00200061006E002000610064006D0069006E006900730074007200610074006900760065002000670072006F0075007000200072006500730075006C0074007300200069006E00200065007800740065006E0073006900760065002000700072006900760069006C006500670065007300200066006F0072002000740068006900730020006D0065006D006200650072002E00200049006E00200073007500630068002000630061007300650073002C00200074006800650020006D006F007400690076006100740069006F006E00200066006F007200200065006C00650076006100740069006E006700200074006800650020006100660066006500630074006500640020007500730065007200730027002000700072006900760069006C006500670065007300200069007300200075006E006B006E006F0077006E002E00</VendorKnowledgeBase>
	<ConditionType>{E00EE0F1-B3DF-4122-89B4-738EF5EC1C52}</ConditionType>
	<SuppressByName>0</SuppressByName>
	<AlertSuppression>0</AlertSuppression>
	<CustomerKnowledgeBase>0100000000000000</CustomerKnowledgeBase>
	<Distribution></Distribution>
	<AlertName>Member %Member Account% added to group %Target Group Domain%\%Target Group Name% by %Operator Account Domain%\%Operator Account Name%.</AlertName>
	<SuppressByRuleID>0</SuppressByRuleID>
	<DoNotSaveEvents>0</DoNotSaveEvents>
	<SuppressByHostName>0</SuppressByHostName>
	<Condition></Condition>
	<AlertComment></AlertComment>
	<FilterCondition>0100000000000000</FilterCondition>
	<AlertDescription></AlertDescription>
	<ScheduleEnabled>0</ScheduleEnabled>
	<SuppressBySiteID>0</SuppressBySiteID>
	<AlertAssignment></AlertAssignment>
	<RuleDistribution>0</RuleDistribution>
	<AlertCode>AE_AD_SEC_0028 (2)</AlertCode>
	
	<NotificationFormats>
		<ITRTNotificationFormat>
			<Guid>{41BA4430-8158-439F-84CA-C3C3DF91F5D2}</Guid>
			<ComposerTemplate>01000000F834885B1C14B949960CC37CE508B1D02100000049006E005400720075007300740020002500530065007600650072006900740079002500200061006C0065007200740020002D00200025004E0061006D0065002500050000007500740066002D003800ED01000025004400650073006300720069007000740069006F006E0025000D000A000A000A0041006C0065007200740020007700610073002000670065006E0065007200610074006500640020006F006E00200063006F006D00700075007400650072002000250041006C006500720074002E0048006F00730074004E0061006D00650025002E000A0041006C0065007200740020007700610073002000670065006E006500720061007400650064002000610074002000250041006C006500720074002E00540069006D006500470065006E006500720061007400650064004C006F00630061006C00250020002800250041006C006500720074002E00540069006D006500470065006E006500720061007400650064002500200047004D00540029002E000D000A000A000A0046006F007200200061006C00650072007400200069006E0066006F0072006D006100740069006F006E002C00200066006F006C006C006F007700200074006800650020006C0069006E006B00200074006F0020004D006F006E00690074006F00720069006E006700200043006F006E0073006F006C0065003A00200025006F007200670070006100720061006D003A005700450042004D004F004E00490054004F005200550052004C002500250061006C006500720074002E0061006C006500720074006900640025000D000A000A0046006F00720020006500760065006E007400200061006E0061006C0079007300690073002C00200066006F006C006C006F007700200074006800650020006C0069006E006B00200074006F0020004900540020005300650063007500720069007400790020005300650061007200630068003A002000220025006F007200670070006100720061006D003A0049005400530065006100720063006800410064006400720065007300730025002F0023002F007300650061007200630068002F006500760065006E00740073003F0071003D004500760065006E00740049004400250025003300440025004500760065006E007400490044002500250025003200300041004E004400250025003200300049006E00730065007200740069006F006E0053007400720069006E006700330025002500330044002500250032003200250053007400720069006E006700330025002500250032003200250025003200300041004E0044002500250032003000570068006F00250025003300440025002500320032002500570068006F0025002500250032003200250025003200300041004E00440025002500320030005700680065007200650025002500330044002500250032003200250057006800650072006500250025002500320032002200</ComposerTemplate>
			<ComposerId>{C40DBB2E-DF56-43AC-8392-EFB2D0DDCC5A}</ComposerId>
			<Enabled>1</Enabled>
			<NotificationType>{E01E93C2-938C-4BBD-88D9-0FD3B0E631E4}</NotificationType>
			
		</ITRTNotificationFormat>
		<ITRTNotificationFormat>
			<Guid>{3ACB93F9-3633-4726-9732-F3EB5A1DF7E0}</Guid>
			<ComposerTemplate>01000000F834885B1C14B949960CC37CE508B1D02200000049006E005400720075007300740020002500530065007600650072006900740079002500200061006C0065007200740020002D00200025004E0061006D00650025002E00050000007500740066002D003800DB00000025004400650073006300720069007000740069006F006E0025000A000A0041006C0065007200740020007700610073002000670065006E0065007200610074006500640020006F006E00200063006F006D00700075007400650072002000250048006F00730074004E0061006D00650025002E000A0041006C0065007200740020007700610073002000670065006E006500720061007400650064002000610074002000250041006C006500720074002E00540069006D006500470065006E006500720061007400650064004C006F00630061006C00250020002800250041006C006500720074002E00540069006D006500470065006E006500720061007400650064002500200047004D00540029002E000A000A0046006F00720020006D006F0072006500200069006E0066006F0072006D006100740069006F006E002C00200066006F006C006C006F0077002000740068006900730020006C0069006E006B003A00200025006F007200670070006100720061006D003A005700450042004D004F004E00490054004F005200550052004C002500250061006C006500720074002E0061006C006500720074006900640025002E00</ComposerTemplate>
			<ComposerId>{C40DBB2E-DF56-43AC-8392-EFB2D0DDCC5A}</ComposerId>
			<Enabled>0</Enabled>
			<NotificationType>{ECEB8D7E-04D9-49F6-8B38-EB90C97AC523}</NotificationType>
			
		</ITRTNotificationFormat>
	</NotificationFormats>
	<DataSources>
		<ITRTRuleDataSource>
			<Guid>{E2E12BEA-3753-402B-A995-35516AF229F9}</Guid>
			<DataSourceId>{A8CFC803-CDAD-47C5-B195-4C043A4F4BC7}</DataSourceId>
			
		</ITRTRuleDataSource>
	</DataSources>
	<ResponseActions>
		<ITRTResponseAction>
			<ProviderConfig>01000000260000007B00360042003600310030004600330034002D0032003700310044002D0034003400340046002D0039003600450033002D004500330030004300430041003900340045003800300036007D0002000000260000007B00340031004400420030004500390034002D0031004400310032002D0034004400360030002D0039004600440031002D003800350031004200370036003500440036004100440035007D001700000025004F00700065007200610074006F00720020004100630063006F0075006E00740020004E0061006D0065002500260000007B00460045004600380046004200410038002D0041004200330044002D0034003900430039002D0038003200360031002D003300430042003700440045003500410041003400380033007D001900000025004F00700065007200610074006F00720020004100630063006F0075006E007400200044006F006D00610069006E002500</ProviderConfig>
			<Guid>{1C152F0B-0AB4-4CB9-AE03-4AF867BD7AF3}</Guid>
			<Timeout>0</Timeout>
			<Distribution></Distribution>
			<Enabled>0</Enabled>
			<ProviderId>{E5D8E6C5-488A-42BF-B636-065E970F0067}</ProviderId>
			<ExecutionOrder>0</ExecutionOrder>
			<Destination>0</Destination>
			
		</ITRTResponseAction>
		<ITRTResponseAction>
			<ProviderConfig>01000000260000007B00310044004100370045004100310039002D0036003700410039002D0034004300340045002D0041003800350030002D003200380043004600390044004500360031003600450039007D0004000000260000007B00310044003500380038004100310046002D0031003200310035002D0034003800350031002D0042003200360036002D004600330035003200330032003000360045003000310043007D000A000000250043006F006D00700075007400650072002500260000007B00360046004400410044003200390044002D0046003300310044002D0034004100330031002D0042003800320035002D004400430046004300380041003500310037003900310031007D0010000000250043006F006D007000750074006500720044006F006D00610069006E002500260000007B00410033003200380046004300310030002D0041003500330038002D0034003000410032002D0039003800380031002D004300350032003500420033003500370038004200410033007D002900000025005400610072006700650074002000470072006F0075007000200044006F006D00610069006E0025005C0025005400610072006700650074002000470072006F007500700020004E0061006D0065002500260000007B00430038004600310045003900390037002D0030003000420042002D0034004300380035002D0041004100310035002D004500350037003600460036003200430044004200300041007D001000000025004D0065006D0062006500720020004100630063006F0075006E0074002500</ProviderConfig>
			<Guid>{9B183A3A-D697-439A-B863-730B7A8058DB}</Guid>
			<Timeout>0</Timeout>
			<Distribution></Distribution>
			<Enabled>0</Enabled>
			<ProviderId>{E5D8E6C5-488A-42BF-B636-065E970F0067}</ProviderId>
			<ExecutionOrder>1</ExecutionOrder>
			<Destination>0</Destination>
			
		</ITRTResponseAction>
		<ITRTResponseAction>
			<ProviderConfig>010000000F0000003200350035002E003200350035002E003200350035002E00320035003500060000007000750062006C006900630001000000360003000000310030003000100000000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000001000000060F000000250061006C006500720074002E0041006C006500720074004900640025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000A000000060E000000250061006C006500720074002E00520075006C0065004900440025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000B0000000610000000250061006C006500720074002E00520075006C0065004E0061006D00650025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000C0000000610000000250061006C006500720074002E0048006F00730074004E0061006D00650025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000D0000000612000000250061006C006500720074002E005300650072007600650072004E0061006D00650025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000E0000000613000000250061006C006500720074002E00470065006E006500720061007400650064004F006E0025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000F0000000611000000250061006C006500720074002E0041006C0065007200740043006F006400650025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000020000000615000000250061006C006500720074002E00540069006D006500470065006E0065007200610074006500640025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000003000000061A000000250061006C006500720074002E00540069006D006500470065006E006500720061007400650064004C006F00630061006C0025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000004000000060D000000250061006C006500720074002E005300740061007400650025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000005000000060C000000250061006C006500720074002E004E0061006D00650025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000060000000613000000250061006C006500720074002E004400650073006300720069007000740069006F006E0025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000070000000610000000250061006C006500720074002E005300650076006500720069007400790025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000008000000060F000000250061006C006500720074002E0043006F006D006D0065006E00740025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000090000000612000000250061006C006500720074002E00410073007300690067006E006500640054006F0025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000010000000062700000025006F007200670070006100720061006D003A005700450042004D004F004E00490054004F005200550052004C002500250061006C006500720074002E0061006C00650072007400690064002500</ProviderConfig>
			<Guid>{98A68F27-D1BC-4D30-87B0-B6204005264B}</Guid>
			<Timeout>0</Timeout>
			<Distribution></Distribution>
			<Enabled>0</Enabled>
			<ProviderId>{C3DFC923-4037-4C1B-A652-77767EBAF710}</ProviderId>
			<ExecutionOrder>2</ExecutionOrder>
			<Destination>0</Destination>
			
		</ITRTResponseAction>
	</ResponseActions>
	<AlertFields>
		<ITRTAlertField>
			<Suppression>0</Suppression>
			<Guid>{05AB5691-6EB3-4BF2-B4F0-0A99ACBD223A}</Guid>
			<FieldValue>%MemAccount%</FieldValue>
			<FieldName>Member Account</FieldName>
			
		</ITRTAlertField>
		<ITRTAlertField>
			<Suppression>0</Suppression>
			<Guid>{200CBEE9-4D91-466F-84EC-42BC84F87591}</Guid>
			<FieldValue>%TargetName%</FieldValue>
			<FieldName>Target Group Name</FieldName>
			
		</ITRTAlertField>
		<ITRTAlertField>
			<Suppression>0</Suppression>
			<Guid>{F124999B-FAE9-4603-9DE3-67DD1D1E07EB}</Guid>
			<FieldValue>%OperatorName%</FieldValue>
			<FieldName>Operator Account Name</FieldName>
			
		</ITRTAlertField>
		<ITRTAlertField>
			<Suppression>0</Suppression>
			<Guid>{834F808A-C392-40C4-83F4-A757E98F8A72}</Guid>
			<FieldValue>%OperatorDomain%</FieldValue>
			<FieldName>Operator Account Domain</FieldName>
			
		</ITRTAlertField>
		<ITRTAlertField>
			<Suppression>0</Suppression>
			<Guid>{8DEDEF63-4B24-4AC2-81C1-CB29C2930B2E}</Guid>
			<FieldValue>%TargetDomain%</FieldValue>
			<FieldName>Target Group Domain</FieldName>
			
		</ITRTAlertField>
	</AlertFields>
</ITRTProcessingRule>

Children
  • 0 over 3 years ago in reply to Igor.Ilyin

    Thanks ! I will repalce it -.

    Finally i started to get alerts for 4771 event id but he is also sending me alerts with "comp name$" as user

    InTrust Major alert - Multiple pre-authentication failures.

    There were 5 pre-authentication failures by MSTS-LEV2$ user (IP: ::ffff:10.1.37.132) attempting to gain access to the krbtgt/DOMAIN.COM service.

    Thanks in advance

  • 0 over 3 years ago in reply to benybb

    And this one, "Multiple pre-authentication failures, with computer account filtering".

    I've changed the logic a bit. The original rule triggers on the batch of 4771 events from any users. The following one considers the user name.

    Multiple pre-authentication failures with computer account filtering.xml 
    <?xml version="1.0" encoding="utf-8" ?>

<!--
==============================================================================

Copyright 2020 Quest Software Inc. ALL RIGHTS RESERVED.

$Workfile: Multiple pre-authentication failures with computer account filtering.xml $
$Revision: 0 $
$Modtime: 7/3/2020 9:38:58 AM $

==============================================================================
THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
==============================================================================
-->

<ITRTProcessingRule original_parent="\Configuration\Objects\{F81E88B8-5629-4698-AEB7-38731A4B1520}\RuleGroups\{C54162A9-E4D0-4747-97A1-8B0FFF7E0B85}\Rules">
	<LimitEventsCount>10</LimitEventsCount>
	<SuppressBySeverity>0</SuppressBySeverity>
	<Description><![CDATA[This rule is matched when there are more than the specified number of pre-authentication failures within the specified period of time.
The rule's parameters are Threshold and Period. When specifying the Threshold, supply the number of pre-authentication failures. The rule will be matched when the threshold is exceeded. When specifying the Period, supply the time length within which the failures must occur.
The rule has no response actions.]]></Description>
	<GenerateAlert>1</GenerateAlert>
	<AlertInitialState>0</AlertInitialState>
	<Name>Multiple pre-authentication failures, with computer account filtering</Name>
	<Guid>{2F92CE1F-8452-40DF-BCCB-71D01CF951A8}</Guid>
	<MatchCondition>010000005A0500003C003F0078006D006C002000760065007200730069006F006E003D00220031002E00300022003F003E000D000A003C00720075006C006500200074007900700065003D002200520045004C0022002000760065007200730069006F006E003D00220031002E00300022003E000D000A003C0061007200670075006D0065006E00740073003E000D000A0020002000200020003C0061007200670075006D0065006E007400200064006900730070006C00610079006E0061006D0065003D002200540069006D006500200070006500720069006F006400220020006E0061006D0065003D002200540069006D006500200070006500720069006F006400220020006400650073006300720069007000740069006F006E003D002200540069006D006500200070006500720069006F006400200069006E00200077006800690063006800200074006800650020006500760065006E007400730020006F0063006300750072007200650064002E002200200063006C006100730073003D0022004400610074006500540069006D006500520061006E006700650022003E000D000A00200020002000200020002000200020003C00760061006C00750065003E002200300030003A00300031003A003000300022003C002F00760061006C00750065003E000D000A0020002000200020003C002F0061007200670075006D0065006E0074003E000D000A0020002000200020003C0061007200670075006D0065006E007400200064006900730070006C00610079006E0061006D0065003D0022005400680072006500730068006F006C006400220020006E0061006D0065003D0022005400680072006500730068006F006C006400220020006400650073006300720069007000740069006F006E003D0022004500760065006E007400730020007400680072006500730068006F006C0064002E002200200063006C006100730073003D0022004E0075006D0062006500720022003E000D000A00200020002000200020002000200020003C00760061006C00750065003E0035003C002F00760061006C00750065003E000D000A0020002000200020003C002F0061007200670075006D0065006E0074003E000D000A0020002000200020003C0061007200670075006D0065006E007400200064006900730070006C00610079006E0061006D0065003D00220043006F006E007300690064006500720020004F00700065007200610074006F007200200043006F006D007000750074006500720020004100630063006F0075006E0074007300220020006E0061006D0065003D0022004F00700065007200610074006F00720043006F006D00700075007400650072004100630063006F0075006E0074007300220020006400650073006300720069007000740069006F006E003D002200300020002D0020006500780063006C0075006400650020006F00700065007200610074006F007200200063006F006D007000750074006500720020006100630063006F0075006E00740073002000660072006F006D00200063006F006E00730069006400650072006100740069006F006E002C002000310020002D00200063006F006E007300690064006500720020006F00700065007200610074006F007200200063006F006D007000750074006500720020006100630063006F0075006E00740073002E002200200063006C006100730073003D0022004E0075006D0062006500720022003E000D000A00200020002000200020002000200020003C00760061006C00750065003E0030003C002F00760061006C00750065003E000D000A0020002000200020003C002F0061007200670075006D0065006E0074003E000D000A003C002F0061007200670075006D0065006E00740073003E000D000A003C00700072006500660069006C007400650072003E000D000A004500760065006E0074004900440020003D00200034003700370031003B000D000A003C002F00700072006500660069006C007400650072003E000D000A003C0062006F00640079003E000D000A000D000A006400650066002000760061006C006900640061007400650043006F006D00700075007400650072004100630063006F0075006E007400280070006100720061006D002C0020007300740072004E00290020003A003D000D000A007B000D000A0020002000200020006E006F0074002000280070006100720061006D0020003D0020003000200061006E0064002000730075006200730074007200280020007300740072004E002C0020007300740072006C0065006E0028007300740072004E00290020002D00200031002C00200031002000290020003D00200022002400220029000D000A007D000D000A000D000A0063006F0075006E0074002800730065006C006500630074005F00660069006C007400650072006500640028000D000A00200020002000200020002000200020004500760065006E0074004900440020003D0020003400370037003100200061006E0064002000760061006C006900640061007400650043006F006D00700075007400650072004100630063006F0075006E00740028003C0070006100720061006D00650074006500720020006E0061006D0065003D0022004F00700065007200610074006F00720043006F006D00700075007400650072004100630063006F0075006E007400730022003E003C002F0070006100720061006D0065007400650072003E002C00200053007400720069006E006700310029002C000D000A00200020002000200020002000200020005A002E004500760065006E0074004900440020003D0020004500760065006E00740049004400200061006E00640020007300740072006900650071007500280020005A002E0053007400720069006E00670031002C00200053007400720069006E0067003100200029002C000D000A00200020002000200020002000200020003C0070006100720061006D00650074006500720020006E0061006D0065003D002200540069006D006500200070006500720069006F00640022003E003C002F0070006100720061006D0065007400650072003E00200029002000290020000D000A0020002000200020002600670074003B003D0020003C0070006100720061006D00650074006500720020006E0061006D0065003D0022005400680072006500730068006F006C00640022003E003C002F0070006100720061006D0065007400650072003E000D000A0061006E006400200065006D007000740079002800730065006C006500630074005F006D0061007400630068006500730028000D000A0020002000200020007300740072006900650071007500280020005A005B0030005D002E0053007400720069006E00670031002C00200053007400720069006E0067003100200029002C000D000A0020002000200020003C0070006100720061006D00650074006500720020006E0061006D0065003D002200540069006D006500200070006500720069006F00640022003E003C002F0070006100720061006D0065007400650072003E000D000A002000200020002000290029000D000A0061006E00640020007300650074005F0061006C006500720074005F006600690065006C0064002800220055007300650072004900500022002C00200053007400720069006E00670037002C002000740072007500650029003B000D000A000D000A003C002F0062006F00640079003E000D000A003C002F00720075006C0065003E000D000A00</MatchCondition>
	<AlertSeverity>32</AlertSeverity>
	<Enabled>1</Enabled>
	<SuppressByAlertCode>0</SuppressByAlertCode>
	<Schedule>00000000000000000000000000000000000000000000000000000000</Schedule>
	<VendorKnowledgeBase>01000000670000004D0075006C007400690070006C00650020007000720065002D00610075007400680065006E007400690063006100740069006F006E0020006600610069006C0075007200650020006500760065006E007400730020006D0061007900200069006E00640069006300610074006500200069006E0074007200750064006500720020006100630074006900760069007400790020007300750063006800200061007300200061002000620072007500740065002D0066006F007200630065002000610074007400610063006B002E00</VendorKnowledgeBase>
	<ConditionType>{E00EE0F1-B3DF-4122-89B4-738EF5EC1C52}</ConditionType>
	<SuppressByName>0</SuppressByName>
	<AlertSuppression>0</AlertSuppression>
	<CustomerKnowledgeBase>0100000000000000</CustomerKnowledgeBase>
	<Distribution></Distribution>
	<AlertName>There were %match.eventcount% pre-authentication failures by %User Name% user (IP: %Client IP%) attempting to gain access to the %Service% service</AlertName>
	<SuppressByRuleID>0</SuppressByRuleID>
	<DoNotSaveEvents>0</DoNotSaveEvents>
	<SuppressByHostName>0</SuppressByHostName>
	<Condition></Condition>
	<AlertComment></AlertComment>
	<FilterCondition>0100000000000000</FilterCondition>
	<AlertDescription></AlertDescription>
	<ScheduleEnabled>0</ScheduleEnabled>
	<SuppressBySiteID>0</SuppressBySiteID>
	<AlertAssignment></AlertAssignment>
	<RuleDistribution>0</RuleDistribution>
	<AlertCode>AE_AD_ATP_0030 (2)</AlertCode>
	<NotificationFormats>
		<ITRTNotificationFormat>
			<Guid>{EB75BF10-1020-4482-BFD3-42076242CC95}</Guid>
			<ComposerTemplate>01000000F834885B1C14B949960CC37CE508B1D02100000049006E005400720075007300740020002500530065007600650072006900740079002500200061006C0065007200740020002D00200025004E0061006D0065002500050000007500740066002D003800BD01000025004400650073006300720069007000740069006F006E0025000D000A000A000A0041006C0065007200740020007700610073002000670065006E0065007200610074006500640020006F006E00200063006F006D00700075007400650072002000250041006C006500720074002E0048006F00730074004E0061006D00650025002E000A0041006C0065007200740020007700610073002000670065006E006500720061007400650064002000610074002000250041006C006500720074002E00540069006D006500470065006E006500720061007400650064004C006F00630061006C00250020002800250041006C006500720074002E00540069006D006500470065006E006500720061007400650064002500200047004D00540029002E000D000A000A000A0046006F007200200061006C00650072007400200069006E0066006F0072006D006100740069006F006E002C00200066006F006C006C006F007700200074006800650020006C0069006E006B00200074006F0020004D006F006E00690074006F00720069006E006700200043006F006E0073006F006C0065003A00200025006F007200670070006100720061006D003A005700450042004D004F004E00490054004F005200550052004C002500250061006C006500720074002E0061006C006500720074006900640025000D000A000A0046006F00720020006500760065006E007400200061006E0061006C0079007300690073002C00200066006F006C006C006F007700200074006800650020006C0069006E006B00200074006F0020004900540020005300650063007500720069007400790020005300650061007200630068003A002000220025006F007200670070006100720061006D003A0049005400530065006100720063006800410064006400720065007300730025002F0023002F007300650061007200630068002F006500760065006E00740073003F0071003D004500760065006E00740049004400250025003300440025004500760065006E007400490044002500250025003200300041004E0044002500250032003000570068006F00250025003300440025002500320032002500570068006F0025002500250032003200250025003200300041004E00440025002500320030005700680065007200650025002500330044002500250032003200250057006800650072006500250025002500320032002200</ComposerTemplate>
			<ComposerId>{C40DBB2E-DF56-43AC-8392-EFB2D0DDCC5A}</ComposerId>
			<Enabled>1</Enabled>
			<NotificationType>{E01E93C2-938C-4BBD-88D9-0FD3B0E631E4}</NotificationType>
		</ITRTNotificationFormat>
	</NotificationFormats>
	<DataSources>
		<ITRTRuleDataSource>
			<Guid>{E53A37B2-DF61-4E14-8A0F-34000398625D}</Guid>
			<DataSourceId>{A8CFC803-CDAD-47C5-B195-4C043A4F4BC7}</DataSourceId>
		</ITRTRuleDataSource>
	</DataSources>
	<ResponseActions>
		<ITRTResponseAction>
			<ProviderConfig>010000000F0000003200350035002E003200350035002E003200350035002E00320035003500060000007000750062006C006900630001000000360003000000310030003000100000000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000001000000060F000000250061006C006500720074002E0041006C006500720074004900640025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000A000000060E000000250061006C006500720074002E00520075006C0065004900440025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000B0000000610000000250061006C006500720074002E00520075006C0065004E0061006D00650025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000C0000000610000000250061006C006500720074002E0048006F00730074004E0061006D00650025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000D0000000612000000250061006C006500720074002E005300650072007600650072004E0061006D00650025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000E0000000613000000250061006C006500720074002E00470065006E006500720061007400650064004F006E0025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000F0000000611000000250061006C006500720074002E0041006C0065007200740043006F006400650025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000020000000615000000250061006C006500720074002E00540069006D006500470065006E0065007200610074006500640025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000003000000061A000000250061006C006500720074002E00540069006D006500470065006E006500720061007400650064004C006F00630061006C0025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000004000000060D000000250061006C006500720074002E005300740061007400650025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000005000000060C000000250061006C006500720074002E004E0061006D00650025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000060000000613000000250061006C006500720074002E004400650073006300720069007000740069006F006E0025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000070000000610000000250061006C006500720074002E005300650076006500720069007400790025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000008000000060F000000250061006C006500720074002E0043006F006D006D0065006E00740025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000090000000612000000250061006C006500720074002E00410073007300690067006E006500640054006F0025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000010000000062700000025006F007200670070006100720061006D003A005700450042004D004F004E00490054004F005200550052004C002500250061006C006500720074002E0061006C00650072007400690064002500</ProviderConfig>
			<Guid>{C960F3B4-35D5-422A-99F5-F5870112BF7A}</Guid>
			<Timeout>0</Timeout>
			<Distribution></Distribution>
			<Enabled>0</Enabled>
			<ProviderId>{C3DFC923-4037-4C1B-A652-77767EBAF710}</ProviderId>
			<ExecutionOrder>0</ExecutionOrder>
			<Destination>0</Destination>
		</ITRTResponseAction>
	</ResponseActions>
	<AlertFields>
		<ITRTAlertField>
			<Suppression>0</Suppression>
			<Guid>{614E20BD-E2DB-4412-9C3D-AB03D65BB5BF}</Guid>
			<FieldValue>%String1%</FieldValue>
			<FieldName>User Name</FieldName>
		</ITRTAlertField>
		<ITRTAlertField>
			<Suppression>0</Suppression>
			<Guid>{A767FC57-9C29-4DB9-A086-46BB90DEBE3E}</Guid>
			<FieldValue>%UserIP%</FieldValue>
			<FieldName>Client IP</FieldName>
		</ITRTAlertField>
		<ITRTAlertField>
			<Suppression>0</Suppression>
			<Guid>{BC9F1A37-3AD4-4A63-A77F-6389B00E5129}</Guid>
			<FieldValue>%String3%</FieldValue>
			<FieldName>Service</FieldName>
		</ITRTAlertField>
	</AlertFields>
</ITRTProcessingRule>

  • 0 over 3 years ago in reply to Igor.Ilyin

    Regarding "Multiple pre-authentication failures, with computer account filtering"

    Thank you for that !

     

    Is there a way to know: "On Which RDP TERMINAL SERVER" the user tried and failed to login ??

    Like in this real example, I cannot see which terminal server the user "bebaruch" tried  to connect to and failed : 

    I received on each alert (after 10 failed tries) 2 emails  : 

    First :

    InTrust Major alert - There were 5 pre-authentication failures by bebaruch user (IP: ::ffff:10.1.6.19) attempting to gain access to the krbtgt/domain service

    Alert was generated on computer dc-lev5.DOMAIN.COM

     (10.1.6.19 is a dc server named dc-lev1)

     

    Second : 

    InTrust Major alert - There were 5 pre-authentication failures by bebaruch user (IP: ::ffff:10.1.5.39) attempting to gain access to the krbtgt/domain service

    Alert was generated on computer dc-lev1.domain.com.

     (10.1.5.39 is the physical computer that the user tried to RDP FROM(origin) but not the terminal server where the login actually failed )

    Thanks In Advance

  • 0 over 3 years ago in reply to benybb

    To my understanding no, these 4771 events do not contain such info as terminal server IP or name.