Filter Out computer name in some Rules

Hello,

I wish to filter out the computer name in some rules.

The rules makes False alerts with the computer name as user name.

How exactely can i do that ?

Thanks in advance 

*********

Rule (I) : Member added to an administrative group


Member DOMAIN\JCT_Level_1_Support added to group Builtin\Administrators by DOMAIN\ELEC-403-111$.

Alert was generated on computer ELEC-403-111.DOMAIN.COM.

***************
Rule (I) : Change Password Attempt on Administrative Account


There was administrative account password change attempt by DOMAIN\LAU106-54-90$ user. Target account: LAU106-54-90\admin.

Alert was generated on computer LAU106-54-90.DOMAIN.COM.

****************
Rule (A) : User Account enabled by unauthorized personnel


Account T-LEC-9205\Ladmin enabled by DOMAIN\T-LEC-9205$.

Alert was generated on computer t-lec-9205.DOMAIN.COM

****************
Rule (A) : Multiple failed logons by the same user


There were 5 failed logons by user ADMIN\SAFECOM-LEV-ADM$ from workstation SAFECOM-LEV-ADM.

Alert was generated on computer p-baruch.DOMAIN.COM.

Parents
  • Hi Ben,

    Here the first rule goes, "Member added to an administrative group with account filtering".

    1. The old functionality about XP computers removed,
    2. Two new parameters added, "Consider Operator Computer Accounts" and "Consider Member Computer Accounts", these display names can be easily changed in Advanced rule editor,
    3. The alert name changed, now the email subject contains all the details,
    4. The email body changed, now it contains the link to the IT Security Search.

    To install the rule, right click on any rule folder, click "Import" and select the xml file.

  • The previous version of the rule was not good enough, sometimes member account name equals to "-" in the events.

    Please use instead this one:

    8345.Member added to administrative group with account filtering.xml
    <?xml version="1.0" encoding="utf-8" ?>
    
    <!--
    ==============================================================================
    
    Copyright 2020 Quest Software Inc. ALL RIGHTS RESERVED.
    
    $Workfile: Member added to administrative group with account filtering.xml $
    $Revision: 0 $
    $Modtime: 7/1/2020 3:07:10 AM $
    
    ==============================================================================
    THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
    EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
    WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
    ==============================================================================
    -->
    
    <ITRTProcessingRule original_parent="\Configuration\Objects\{F81E88B8-5629-4698-AEB7-38731A4B1520}\RuleGroups\{C54162A9-E4D0-4747-97A1-8B0FFF7E0B85}\Rules">
    	<LimitEventsCount>10</LimitEventsCount>
    	<SuppressBySeverity>0</SuppressBySeverity>
    	<Description><![CDATA[This rule is matched when a member is added to an administrative group. The rule's parameter is Administrative Groups. When specifying the Administrative Groups, include the groups whose membership you want to monitor.
    The rule disables the operator account and removes the added member from the group.]]></Description>
    	<GenerateAlert>1</GenerateAlert>
    	<AlertInitialState>0</AlertInitialState>
    	<Name>Member added to administrative group, with account filtering</Name>
    	<Guid>{FB3E6004-5C26-4060-B507-CD8913A59256}</Guid>
    	<MatchCondition>01000000860800003C00720075006C006500200074007900700065003D002200520045004C0022002000760065007200730069006F006E003D00220031002E00300022003E000D000A003C0061007200670075006D0065006E00740073003E000D000A0020002000200020003C0061007200670075006D0065006E007400200064006900730070006C00610079006E0061006D0065003D002200470072006F007500700020004C00690073007400220020006E0061006D0065003D002200470072006F007500700020004C006900730074002200200063006C006100730073003D0022004C00690073007400220020006400650073006300720069007000740069006F006E003D002200410020006C0069007300740020006F0066002000610064006D0069006E006900730074007200610074006900760065002000670072006F00750070007300200069006E00200061006E0020006F007200670061006E0069007A006100740069006F006E0022003E000D000A00200020002000200020002000200020003C00760061006C00750065003E002200410064006D0069006E006900730074007200610074006F007200730022002C002000220044006F006D00610069006E002000410064006D0069006E00730022002C002000220045006E00740065007200700072006900730065002000410064006D0069006E00730022002C002000220053006300680065006D0061002000410064006D0069006E00730022002C00200022004100630063006F0075006E00740020004F00700065007200610074006F007200730022002C00200022004200610063006B007500700020004F00700065007200610074006F007200730022002C002000220053006500720076006500720020004F00700065007200610074006F007200730022003C002F00760061006C00750065003E000D000A0020002000200020003C002F0061007200670075006D0065006E0074003E000D000A0020002000200020003C0061007200670075006D0065006E007400200064006900730070006C00610079006E0061006D0065003D00220043006F006E007300690064006500720020004F00700065007200610074006F007200200043006F006D007000750074006500720020004100630063006F0075006E0074007300220020006E0061006D0065003D0022004F00700065007200610074006F00720043006F006D00700075007400650072004100630063006F0075006E0074007300220020006400650073006300720069007000740069006F006E003D002200300020002D0020006500780063006C0075006400650020006F00700065007200610074006F007200200063006F006D007000750074006500720020006100630063006F0075006E00740073002000660072006F006D00200063006F006E00730069006400650072006100740069006F006E002C002000310020002D00200063006F006E007300690064006500720020006F00700065007200610074006F007200200063006F006D007000750074006500720020006100630063006F0075006E00740073002E002200200063006C006100730073003D0022004E0075006D0062006500720022003E000D000A00200020002000200020002000200020003C00760061006C00750065003E0030003C002F00760061006C00750065003E000D000A0020002000200020003C002F0061007200670075006D0065006E0074003E000D000A0020002000200020003C0061007200670075006D0065006E007400200064006900730070006C00610079006E0061006D0065003D00220043006F006E007300690064006500720020004D0065006D00620065007200200043006F006D007000750074006500720020004100630063006F0075006E0074007300220020006E0061006D0065003D0022004D0065006D0062006500720043006F006D00700075007400650072004100630063006F0075006E0074007300220020006400650073006300720069007000740069006F006E003D002200300020002D0020006500780063006C0075006400650020006D0065006D00620065007200200063006F006D007000750074006500720020006100630063006F0075006E00740073002000660072006F006D00200063006F006E00730069006400650072006100740069006F006E002C002000310020002D00200063006F006E007300690064006500720020006D0065006D00620065007200200063006F006D007000750074006500720020006100630063006F0075006E00740073002E002200200063006C006100730073003D0022004E0075006D0062006500720022003E000D000A00200020002000200020002000200020003C00760061006C00750065003E0030003C002F00760061006C00750065003E000D000A0020002000200020003C002F0061007200670075006D0065006E0074003E000D000A003C002F0061007200670075006D0065006E00740073003E000D000A003C00700072006500660069006C007400650072003E000D000A000D000A004500760065006E0074004900440020003D002000340037003200380020006F00720020004500760065006E0074004900440020003D002000340037003300320020006F00720020004500760065006E0074004900440020003D00200034003700350036003B000D000A000D000A003C002F00700072006500660069006C007400650072003E000D000A003C0062006F00640079003E000D000A000D000A0064006500660020007300650074004D0065006D004100630063006F0075006E00740028007300740072004E00290020003A003D000D000A007B000D000A0020002000200020007300650074005F0061006C006500720074005F006600690065006C006400280022004D0065006D004100630063006F0075006E00740022002C0020007300740072004E002C002000740072007500650029000D000A007D000D000A000D000A006400650066002000760061006C006900640061007400650043006F006D00700075007400650072004100630063006F0075006E007400280070006100720061006D002C0020007300740072004E00290020003A003D000D000A007B000D000A0020002000200020006E006F007400280070006100720061006D0020003D0020003000200061006E0064002000730075006200730074007200280020007300740072004E002C0020007300740072006C0065006E0028007300740072004E00290020002D00200031002C00200031002000290020003D00200022002400220029000D000A007D000D000A000D000A006400650066002000660069006E00640044006F006D00610069006E004E0061006D00650053006C00610073006800530061006D004100630063006F0075006E0074004E0061006D00650028007300740072004E002C007300740072004E004E00290020003A003D000D000A007B000D000A002000200020002000630068006F006F00730065002800280073007400720073007400720028007300740072004E002C0022005C005C0022002900200021003D0020002D00310029002C000D000A0020002000200020002000200020002000200020002000760061006C006900640061007400650043006F006D00700075007400650072004100630063006F0075006E00740028003C0070006100720061006D00650074006500720020006E0061006D0065003D0022004D0065006D0062006500720043006F006D00700075007400650072004100630063006F0075006E007400730022003E003C002F0070006100720061006D0065007400650072003E002C0020007300740072004E002900200061006E00640020007300650074004D0065006D004100630063006F0075006E00740028007300740072004E0029002C000D000A0020002000200020002000200020002000200020002000280073007400720073007400720028007300740072004E004E002C0022005C005C0022002900200021003D0020002D0031002900200061006E0064002000760061006C006900640061007400650043006F006D00700075007400650072004100630063006F0075006E00740028003C0070006100720061006D00650074006500720020006E0061006D0065003D0022004D0065006D0062006500720043006F006D00700075007400650072004100630063006F0075006E007400730022003E003C002F0070006100720061006D0065007400650072003E002C0020007300740072004E004E002900200061006E00640020007300650074004D0065006D004100630063006F0075006E00740028007300740072004E004E0029000D000A00200020002000200020002000200020002000200029000D000A007D000D000A000D000A0028004500760065006E0074004900440020003D002000340037003200380020006F00720020004500760065006E0074004900440020003D002000340037003300320020006F00720020004500760065006E0074004900440020003D002000340037003500360029000D000A0061006E006400200069006E002800200053007400720069006E00670033002C00200022007700690022002C0020006100720072006100790028003C0070006100720061006D00650074006500720020006E0061006D0065003D002200470072006F007500700020004C0069007300740022002F003E002900200029000D000A0061006E0064002000760061006C006900640061007400650043006F006D00700075007400650072004100630063006F0075006E00740028003C0070006100720061006D00650074006500720020006E0061006D0065003D0022004F00700065007200610074006F00720043006F006D00700075007400650072004100630063006F0075006E007400730022003E003C002F0070006100720061006D0065007400650072003E002C00200053007400720069006E006700370029000D000A0061006E0064002000760061006C006900640061007400650043006F006D00700075007400650072004100630063006F0075006E00740028003C0070006100720061006D00650074006500720020006E0061006D0065003D0022004D0065006D0062006500720043006F006D00700075007400650072004100630063006F0075006E007400730022003E003C002F0070006100720061006D0065007400650072003E002C00200053007400720069006E006700310029000D000A0061006E0064002000660069006E00640044006F006D00610069006E004E0061006D00650053006C00610073006800530061006D004100630063006F0075006E0074004E0061006D006500280053007400720069006E006700310032002C0053007400720069006E0067003100330029000D000A0061006E00640020007300650074005F0061006C006500720074005F006600690065006C006400280022004F00700065007200610074006F0072004E0061006D00650022002C00200053007400720069006E00670037002C002000740072007500650029000D000A0061006E00640020007300650074005F0061006C006500720074005F006600690065006C006400280022004F00700065007200610074006F00720044006F006D00610069006E0022002C00200053007400720069006E00670038002C002000740072007500650029000D000A0061006E00640020007300650074005F0061006C006500720074005F006600690065006C006400280022005400610072006700650074004E0061006D00650022002C00200053007400720069006E00670033002C002000740072007500650029000D000A0061006E00640020007300650074005F0061006C006500720074005F006600690065006C0064002800220054006100720067006500740044006F006D00610069006E0022002C00200053007400720069006E00670034002C002000740072007500650029003B000D000A000D000A003C002F0062006F00640079003E000D000A003C002F00720075006C0065003E000D000A00</MatchCondition>
    	<AlertSeverity>32</AlertSeverity>
    	<Enabled>1</Enabled>
    	<SuppressByAlertCode>0</SuppressByAlertCode>
    	<Schedule>00000000000000000000000000000000000000000000000000000000</Schedule>
    	<VendorKnowledgeBase>01000000B70000004100640064006900740069006F006E0020006F0066002000610020006D0065006D00620065007200200074006F00200061006E002000610064006D0069006E006900730074007200610074006900760065002000670072006F0075007000200072006500730075006C0074007300200069006E00200065007800740065006E0073006900760065002000700072006900760069006C006500670065007300200066006F0072002000740068006900730020006D0065006D006200650072002E00200049006E00200073007500630068002000630061007300650073002C00200074006800650020006D006F007400690076006100740069006F006E00200066006F007200200065006C00650076006100740069006E006700200074006800650020006100660066006500630074006500640020007500730065007200730027002000700072006900760069006C006500670065007300200069007300200075006E006B006E006F0077006E002E00</VendorKnowledgeBase>
    	<ConditionType>{E00EE0F1-B3DF-4122-89B4-738EF5EC1C52}</ConditionType>
    	<SuppressByName>0</SuppressByName>
    	<AlertSuppression>0</AlertSuppression>
    	<CustomerKnowledgeBase>0100000000000000</CustomerKnowledgeBase>
    	<Distribution></Distribution>
    	<AlertName>Member %Member Account% added to group %Target Group Domain%\%Target Group Name% by %Operator Account Domain%\%Operator Account Name%.</AlertName>
    	<SuppressByRuleID>0</SuppressByRuleID>
    	<DoNotSaveEvents>0</DoNotSaveEvents>
    	<SuppressByHostName>0</SuppressByHostName>
    	<Condition></Condition>
    	<AlertComment></AlertComment>
    	<FilterCondition>0100000000000000</FilterCondition>
    	<AlertDescription></AlertDescription>
    	<ScheduleEnabled>0</ScheduleEnabled>
    	<SuppressBySiteID>0</SuppressBySiteID>
    	<AlertAssignment></AlertAssignment>
    	<RuleDistribution>0</RuleDistribution>
    	<AlertCode>AE_AD_SEC_0028 (2)</AlertCode>
    	
    	<NotificationFormats>
    		<ITRTNotificationFormat>
    			<Guid>{41BA4430-8158-439F-84CA-C3C3DF91F5D2}</Guid>
    			<ComposerTemplate>01000000F834885B1C14B949960CC37CE508B1D02100000049006E005400720075007300740020002500530065007600650072006900740079002500200061006C0065007200740020002D00200025004E0061006D0065002500050000007500740066002D003800ED01000025004400650073006300720069007000740069006F006E0025000D000A000A000A0041006C0065007200740020007700610073002000670065006E0065007200610074006500640020006F006E00200063006F006D00700075007400650072002000250041006C006500720074002E0048006F00730074004E0061006D00650025002E000A0041006C0065007200740020007700610073002000670065006E006500720061007400650064002000610074002000250041006C006500720074002E00540069006D006500470065006E006500720061007400650064004C006F00630061006C00250020002800250041006C006500720074002E00540069006D006500470065006E006500720061007400650064002500200047004D00540029002E000D000A000A000A0046006F007200200061006C00650072007400200069006E0066006F0072006D006100740069006F006E002C00200066006F006C006C006F007700200074006800650020006C0069006E006B00200074006F0020004D006F006E00690074006F00720069006E006700200043006F006E0073006F006C0065003A00200025006F007200670070006100720061006D003A005700450042004D004F004E00490054004F005200550052004C002500250061006C006500720074002E0061006C006500720074006900640025000D000A000A0046006F00720020006500760065006E007400200061006E0061006C0079007300690073002C00200066006F006C006C006F007700200074006800650020006C0069006E006B00200074006F0020004900540020005300650063007500720069007400790020005300650061007200630068003A002000220025006F007200670070006100720061006D003A0049005400530065006100720063006800410064006400720065007300730025002F0023002F007300650061007200630068002F006500760065006E00740073003F0071003D004500760065006E00740049004400250025003300440025004500760065006E007400490044002500250025003200300041004E004400250025003200300049006E00730065007200740069006F006E0053007400720069006E006700330025002500330044002500250032003200250053007400720069006E006700330025002500250032003200250025003200300041004E0044002500250032003000570068006F00250025003300440025002500320032002500570068006F0025002500250032003200250025003200300041004E00440025002500320030005700680065007200650025002500330044002500250032003200250057006800650072006500250025002500320032002200</ComposerTemplate>
    			<ComposerId>{C40DBB2E-DF56-43AC-8392-EFB2D0DDCC5A}</ComposerId>
    			<Enabled>1</Enabled>
    			<NotificationType>{E01E93C2-938C-4BBD-88D9-0FD3B0E631E4}</NotificationType>
    			
    		</ITRTNotificationFormat>
    		<ITRTNotificationFormat>
    			<Guid>{3ACB93F9-3633-4726-9732-F3EB5A1DF7E0}</Guid>
    			<ComposerTemplate>01000000F834885B1C14B949960CC37CE508B1D02200000049006E005400720075007300740020002500530065007600650072006900740079002500200061006C0065007200740020002D00200025004E0061006D00650025002E00050000007500740066002D003800DB00000025004400650073006300720069007000740069006F006E0025000A000A0041006C0065007200740020007700610073002000670065006E0065007200610074006500640020006F006E00200063006F006D00700075007400650072002000250048006F00730074004E0061006D00650025002E000A0041006C0065007200740020007700610073002000670065006E006500720061007400650064002000610074002000250041006C006500720074002E00540069006D006500470065006E006500720061007400650064004C006F00630061006C00250020002800250041006C006500720074002E00540069006D006500470065006E006500720061007400650064002500200047004D00540029002E000A000A0046006F00720020006D006F0072006500200069006E0066006F0072006D006100740069006F006E002C00200066006F006C006C006F0077002000740068006900730020006C0069006E006B003A00200025006F007200670070006100720061006D003A005700450042004D004F004E00490054004F005200550052004C002500250061006C006500720074002E0061006C006500720074006900640025002E00</ComposerTemplate>
    			<ComposerId>{C40DBB2E-DF56-43AC-8392-EFB2D0DDCC5A}</ComposerId>
    			<Enabled>0</Enabled>
    			<NotificationType>{ECEB8D7E-04D9-49F6-8B38-EB90C97AC523}</NotificationType>
    			
    		</ITRTNotificationFormat>
    	</NotificationFormats>
    	<DataSources>
    		<ITRTRuleDataSource>
    			<Guid>{E2E12BEA-3753-402B-A995-35516AF229F9}</Guid>
    			<DataSourceId>{A8CFC803-CDAD-47C5-B195-4C043A4F4BC7}</DataSourceId>
    			
    		</ITRTRuleDataSource>
    	</DataSources>
    	<ResponseActions>
    		<ITRTResponseAction>
    			<ProviderConfig>01000000260000007B00360042003600310030004600330034002D0032003700310044002D0034003400340046002D0039003600450033002D004500330030004300430041003900340045003800300036007D0002000000260000007B00340031004400420030004500390034002D0031004400310032002D0034004400360030002D0039004600440031002D003800350031004200370036003500440036004100440035007D001700000025004F00700065007200610074006F00720020004100630063006F0075006E00740020004E0061006D0065002500260000007B00460045004600380046004200410038002D0041004200330044002D0034003900430039002D0038003200360031002D003300430042003700440045003500410041003400380033007D001900000025004F00700065007200610074006F00720020004100630063006F0075006E007400200044006F006D00610069006E002500</ProviderConfig>
    			<Guid>{1C152F0B-0AB4-4CB9-AE03-4AF867BD7AF3}</Guid>
    			<Timeout>0</Timeout>
    			<Distribution></Distribution>
    			<Enabled>0</Enabled>
    			<ProviderId>{E5D8E6C5-488A-42BF-B636-065E970F0067}</ProviderId>
    			<ExecutionOrder>0</ExecutionOrder>
    			<Destination>0</Destination>
    			
    		</ITRTResponseAction>
    		<ITRTResponseAction>
    			<ProviderConfig>01000000260000007B00310044004100370045004100310039002D0036003700410039002D0034004300340045002D0041003800350030002D003200380043004600390044004500360031003600450039007D0004000000260000007B00310044003500380038004100310046002D0031003200310035002D0034003800350031002D0042003200360036002D004600330035003200330032003000360045003000310043007D000A000000250043006F006D00700075007400650072002500260000007B00360046004400410044003200390044002D0046003300310044002D0034004100330031002D0042003800320035002D004400430046004300380041003500310037003900310031007D0010000000250043006F006D007000750074006500720044006F006D00610069006E002500260000007B00410033003200380046004300310030002D0041003500330038002D0034003000410032002D0039003800380031002D004300350032003500420033003500370038004200410033007D002900000025005400610072006700650074002000470072006F0075007000200044006F006D00610069006E0025005C0025005400610072006700650074002000470072006F007500700020004E0061006D0065002500260000007B00430038004600310045003900390037002D0030003000420042002D0034004300380035002D0041004100310035002D004500350037003600460036003200430044004200300041007D001000000025004D0065006D0062006500720020004100630063006F0075006E0074002500</ProviderConfig>
    			<Guid>{9B183A3A-D697-439A-B863-730B7A8058DB}</Guid>
    			<Timeout>0</Timeout>
    			<Distribution></Distribution>
    			<Enabled>0</Enabled>
    			<ProviderId>{E5D8E6C5-488A-42BF-B636-065E970F0067}</ProviderId>
    			<ExecutionOrder>1</ExecutionOrder>
    			<Destination>0</Destination>
    			
    		</ITRTResponseAction>
    		<ITRTResponseAction>
    			<ProviderConfig>010000000F0000003200350035002E003200350035002E003200350035002E00320035003500060000007000750062006C006900630001000000360003000000310030003000100000000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000001000000060F000000250061006C006500720074002E0041006C006500720074004900640025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000A000000060E000000250061006C006500720074002E00520075006C0065004900440025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000B0000000610000000250061006C006500720074002E00520075006C0065004E0061006D00650025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000C0000000610000000250061006C006500720074002E0048006F00730074004E0061006D00650025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000D0000000612000000250061006C006500720074002E005300650072007600650072004E0061006D00650025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000E0000000613000000250061006C006500720074002E00470065006E006500720061007400650064004F006E0025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000F0000000611000000250061006C006500720074002E0041006C0065007200740043006F006400650025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000020000000615000000250061006C006500720074002E00540069006D006500470065006E0065007200610074006500640025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000003000000061A000000250061006C006500720074002E00540069006D006500470065006E006500720061007400650064004C006F00630061006C0025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000004000000060D000000250061006C006500720074002E005300740061007400650025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000005000000060C000000250061006C006500720074002E004E0061006D00650025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000060000000613000000250061006C006500720074002E004400650073006300720069007000740069006F006E0025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000070000000610000000250061006C006500720074002E005300650076006500720069007400790025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000008000000060F000000250061006C006500720074002E0043006F006D006D0065006E00740025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000090000000612000000250061006C006500720074002E00410073007300690067006E006500640054006F0025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000010000000062700000025006F007200670070006100720061006D003A005700450042004D004F004E00490054004F005200550052004C002500250061006C006500720074002E0061006C00650072007400690064002500</ProviderConfig>
    			<Guid>{98A68F27-D1BC-4D30-87B0-B6204005264B}</Guid>
    			<Timeout>0</Timeout>
    			<Distribution></Distribution>
    			<Enabled>0</Enabled>
    			<ProviderId>{C3DFC923-4037-4C1B-A652-77767EBAF710}</ProviderId>
    			<ExecutionOrder>2</ExecutionOrder>
    			<Destination>0</Destination>
    			
    		</ITRTResponseAction>
    	</ResponseActions>
    	<AlertFields>
    		<ITRTAlertField>
    			<Suppression>0</Suppression>
    			<Guid>{05AB5691-6EB3-4BF2-B4F0-0A99ACBD223A}</Guid>
    			<FieldValue>%MemAccount%</FieldValue>
    			<FieldName>Member Account</FieldName>
    			
    		</ITRTAlertField>
    		<ITRTAlertField>
    			<Suppression>0</Suppression>
    			<Guid>{200CBEE9-4D91-466F-84EC-42BC84F87591}</Guid>
    			<FieldValue>%TargetName%</FieldValue>
    			<FieldName>Target Group Name</FieldName>
    			
    		</ITRTAlertField>
    		<ITRTAlertField>
    			<Suppression>0</Suppression>
    			<Guid>{F124999B-FAE9-4603-9DE3-67DD1D1E07EB}</Guid>
    			<FieldValue>%OperatorName%</FieldValue>
    			<FieldName>Operator Account Name</FieldName>
    			
    		</ITRTAlertField>
    		<ITRTAlertField>
    			<Suppression>0</Suppression>
    			<Guid>{834F808A-C392-40C4-83F4-A757E98F8A72}</Guid>
    			<FieldValue>%OperatorDomain%</FieldValue>
    			<FieldName>Operator Account Domain</FieldName>
    			
    		</ITRTAlertField>
    		<ITRTAlertField>
    			<Suppression>0</Suppression>
    			<Guid>{8DEDEF63-4B24-4AC2-81C1-CB29C2930B2E}</Guid>
    			<FieldValue>%TargetDomain%</FieldValue>
    			<FieldName>Target Group Domain</FieldName>
    			
    		</ITRTAlertField>
    	</AlertFields>
    </ITRTProcessingRule>
    

Reply Children
  • And this one, "Multiple pre-authentication failures, with computer account filtering".

    I've changed the logic a bit. The original rule triggers on the batch of 4771 events from any users. The following one considers the user name.

    Multiple pre-authentication failures with computer account filtering.xml
    <?xml version="1.0" encoding="utf-8" ?>
    
    <!--
    ==============================================================================
    
    Copyright 2020 Quest Software Inc. ALL RIGHTS RESERVED.
    
    $Workfile: Multiple pre-authentication failures with computer account filtering.xml $
    $Revision: 0 $
    $Modtime: 7/3/2020 9:38:58 AM $
    
    ==============================================================================
    THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
    EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
    WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
    ==============================================================================
    -->
    
    <ITRTProcessingRule original_parent="\Configuration\Objects\{F81E88B8-5629-4698-AEB7-38731A4B1520}\RuleGroups\{C54162A9-E4D0-4747-97A1-8B0FFF7E0B85}\Rules">
    	<LimitEventsCount>10</LimitEventsCount>
    	<SuppressBySeverity>0</SuppressBySeverity>
    	<Description><![CDATA[This rule is matched when there are more than the specified number of pre-authentication failures within the specified period of time.
    The rule's parameters are Threshold and Period. When specifying the Threshold, supply the number of pre-authentication failures. The rule will be matched when the threshold is exceeded. When specifying the Period, supply the time length within which the failures must occur.
    The rule has no response actions.]]></Description>
    	<GenerateAlert>1</GenerateAlert>
    	<AlertInitialState>0</AlertInitialState>
    	<Name>Multiple pre-authentication failures, with computer account filtering</Name>
    	<Guid>{2F92CE1F-8452-40DF-BCCB-71D01CF951A8}</Guid>
    	<MatchCondition>010000005A0500003C003F0078006D006C002000760065007200730069006F006E003D00220031002E00300022003F003E000D000A003C00720075006C006500200074007900700065003D002200520045004C0022002000760065007200730069006F006E003D00220031002E00300022003E000D000A003C0061007200670075006D0065006E00740073003E000D000A0020002000200020003C0061007200670075006D0065006E007400200064006900730070006C00610079006E0061006D0065003D002200540069006D006500200070006500720069006F006400220020006E0061006D0065003D002200540069006D006500200070006500720069006F006400220020006400650073006300720069007000740069006F006E003D002200540069006D006500200070006500720069006F006400200069006E00200077006800690063006800200074006800650020006500760065006E007400730020006F0063006300750072007200650064002E002200200063006C006100730073003D0022004400610074006500540069006D006500520061006E006700650022003E000D000A00200020002000200020002000200020003C00760061006C00750065003E002200300030003A00300031003A003000300022003C002F00760061006C00750065003E000D000A0020002000200020003C002F0061007200670075006D0065006E0074003E000D000A0020002000200020003C0061007200670075006D0065006E007400200064006900730070006C00610079006E0061006D0065003D0022005400680072006500730068006F006C006400220020006E0061006D0065003D0022005400680072006500730068006F006C006400220020006400650073006300720069007000740069006F006E003D0022004500760065006E007400730020007400680072006500730068006F006C0064002E002200200063006C006100730073003D0022004E0075006D0062006500720022003E000D000A00200020002000200020002000200020003C00760061006C00750065003E0035003C002F00760061006C00750065003E000D000A0020002000200020003C002F0061007200670075006D0065006E0074003E000D000A0020002000200020003C0061007200670075006D0065006E007400200064006900730070006C00610079006E0061006D0065003D00220043006F006E007300690064006500720020004F00700065007200610074006F007200200043006F006D007000750074006500720020004100630063006F0075006E0074007300220020006E0061006D0065003D0022004F00700065007200610074006F00720043006F006D00700075007400650072004100630063006F0075006E0074007300220020006400650073006300720069007000740069006F006E003D002200300020002D0020006500780063006C0075006400650020006F00700065007200610074006F007200200063006F006D007000750074006500720020006100630063006F0075006E00740073002000660072006F006D00200063006F006E00730069006400650072006100740069006F006E002C002000310020002D00200063006F006E007300690064006500720020006F00700065007200610074006F007200200063006F006D007000750074006500720020006100630063006F0075006E00740073002E002200200063006C006100730073003D0022004E0075006D0062006500720022003E000D000A00200020002000200020002000200020003C00760061006C00750065003E0030003C002F00760061006C00750065003E000D000A0020002000200020003C002F0061007200670075006D0065006E0074003E000D000A003C002F0061007200670075006D0065006E00740073003E000D000A003C00700072006500660069006C007400650072003E000D000A004500760065006E0074004900440020003D00200034003700370031003B000D000A003C002F00700072006500660069006C007400650072003E000D000A003C0062006F00640079003E000D000A000D000A006400650066002000760061006C006900640061007400650043006F006D00700075007400650072004100630063006F0075006E007400280070006100720061006D002C0020007300740072004E00290020003A003D000D000A007B000D000A0020002000200020006E006F0074002000280070006100720061006D0020003D0020003000200061006E0064002000730075006200730074007200280020007300740072004E002C0020007300740072006C0065006E0028007300740072004E00290020002D00200031002C00200031002000290020003D00200022002400220029000D000A007D000D000A000D000A0063006F0075006E0074002800730065006C006500630074005F00660069006C007400650072006500640028000D000A00200020002000200020002000200020004500760065006E0074004900440020003D0020003400370037003100200061006E0064002000760061006C006900640061007400650043006F006D00700075007400650072004100630063006F0075006E00740028003C0070006100720061006D00650074006500720020006E0061006D0065003D0022004F00700065007200610074006F00720043006F006D00700075007400650072004100630063006F0075006E007400730022003E003C002F0070006100720061006D0065007400650072003E002C00200053007400720069006E006700310029002C000D000A00200020002000200020002000200020005A002E004500760065006E0074004900440020003D0020004500760065006E00740049004400200061006E00640020007300740072006900650071007500280020005A002E0053007400720069006E00670031002C00200053007400720069006E0067003100200029002C000D000A00200020002000200020002000200020003C0070006100720061006D00650074006500720020006E0061006D0065003D002200540069006D006500200070006500720069006F00640022003E003C002F0070006100720061006D0065007400650072003E00200029002000290020000D000A0020002000200020002600670074003B003D0020003C0070006100720061006D00650074006500720020006E0061006D0065003D0022005400680072006500730068006F006C00640022003E003C002F0070006100720061006D0065007400650072003E000D000A0061006E006400200065006D007000740079002800730065006C006500630074005F006D0061007400630068006500730028000D000A0020002000200020007300740072006900650071007500280020005A005B0030005D002E0053007400720069006E00670031002C00200053007400720069006E0067003100200029002C000D000A0020002000200020003C0070006100720061006D00650074006500720020006E0061006D0065003D002200540069006D006500200070006500720069006F00640022003E003C002F0070006100720061006D0065007400650072003E000D000A002000200020002000290029000D000A0061006E00640020007300650074005F0061006C006500720074005F006600690065006C0064002800220055007300650072004900500022002C00200053007400720069006E00670037002C002000740072007500650029003B000D000A000D000A003C002F0062006F00640079003E000D000A003C002F00720075006C0065003E000D000A00</MatchCondition>
    	<AlertSeverity>32</AlertSeverity>
    	<Enabled>1</Enabled>
    	<SuppressByAlertCode>0</SuppressByAlertCode>
    	<Schedule>00000000000000000000000000000000000000000000000000000000</Schedule>
    	<VendorKnowledgeBase>01000000670000004D0075006C007400690070006C00650020007000720065002D00610075007400680065006E007400690063006100740069006F006E0020006600610069006C0075007200650020006500760065006E007400730020006D0061007900200069006E00640069006300610074006500200069006E0074007200750064006500720020006100630074006900760069007400790020007300750063006800200061007300200061002000620072007500740065002D0066006F007200630065002000610074007400610063006B002E00</VendorKnowledgeBase>
    	<ConditionType>{E00EE0F1-B3DF-4122-89B4-738EF5EC1C52}</ConditionType>
    	<SuppressByName>0</SuppressByName>
    	<AlertSuppression>0</AlertSuppression>
    	<CustomerKnowledgeBase>0100000000000000</CustomerKnowledgeBase>
    	<Distribution></Distribution>
    	<AlertName>There were %match.eventcount% pre-authentication failures by %User Name% user (IP: %Client IP%) attempting to gain access to the %Service% service</AlertName>
    	<SuppressByRuleID>0</SuppressByRuleID>
    	<DoNotSaveEvents>0</DoNotSaveEvents>
    	<SuppressByHostName>0</SuppressByHostName>
    	<Condition></Condition>
    	<AlertComment></AlertComment>
    	<FilterCondition>0100000000000000</FilterCondition>
    	<AlertDescription></AlertDescription>
    	<ScheduleEnabled>0</ScheduleEnabled>
    	<SuppressBySiteID>0</SuppressBySiteID>
    	<AlertAssignment></AlertAssignment>
    	<RuleDistribution>0</RuleDistribution>
    	<AlertCode>AE_AD_ATP_0030 (2)</AlertCode>
    	<NotificationFormats>
    		<ITRTNotificationFormat>
    			<Guid>{EB75BF10-1020-4482-BFD3-42076242CC95}</Guid>
    			<ComposerTemplate>01000000F834885B1C14B949960CC37CE508B1D02100000049006E005400720075007300740020002500530065007600650072006900740079002500200061006C0065007200740020002D00200025004E0061006D0065002500050000007500740066002D003800BD01000025004400650073006300720069007000740069006F006E0025000D000A000A000A0041006C0065007200740020007700610073002000670065006E0065007200610074006500640020006F006E00200063006F006D00700075007400650072002000250041006C006500720074002E0048006F00730074004E0061006D00650025002E000A0041006C0065007200740020007700610073002000670065006E006500720061007400650064002000610074002000250041006C006500720074002E00540069006D006500470065006E006500720061007400650064004C006F00630061006C00250020002800250041006C006500720074002E00540069006D006500470065006E006500720061007400650064002500200047004D00540029002E000D000A000A000A0046006F007200200061006C00650072007400200069006E0066006F0072006D006100740069006F006E002C00200066006F006C006C006F007700200074006800650020006C0069006E006B00200074006F0020004D006F006E00690074006F00720069006E006700200043006F006E0073006F006C0065003A00200025006F007200670070006100720061006D003A005700450042004D004F004E00490054004F005200550052004C002500250061006C006500720074002E0061006C006500720074006900640025000D000A000A0046006F00720020006500760065006E007400200061006E0061006C0079007300690073002C00200066006F006C006C006F007700200074006800650020006C0069006E006B00200074006F0020004900540020005300650063007500720069007400790020005300650061007200630068003A002000220025006F007200670070006100720061006D003A0049005400530065006100720063006800410064006400720065007300730025002F0023002F007300650061007200630068002F006500760065006E00740073003F0071003D004500760065006E00740049004400250025003300440025004500760065006E007400490044002500250025003200300041004E0044002500250032003000570068006F00250025003300440025002500320032002500570068006F0025002500250032003200250025003200300041004E00440025002500320030005700680065007200650025002500330044002500250032003200250057006800650072006500250025002500320032002200</ComposerTemplate>
    			<ComposerId>{C40DBB2E-DF56-43AC-8392-EFB2D0DDCC5A}</ComposerId>
    			<Enabled>1</Enabled>
    			<NotificationType>{E01E93C2-938C-4BBD-88D9-0FD3B0E631E4}</NotificationType>
    		</ITRTNotificationFormat>
    	</NotificationFormats>
    	<DataSources>
    		<ITRTRuleDataSource>
    			<Guid>{E53A37B2-DF61-4E14-8A0F-34000398625D}</Guid>
    			<DataSourceId>{A8CFC803-CDAD-47C5-B195-4C043A4F4BC7}</DataSourceId>
    		</ITRTRuleDataSource>
    	</DataSources>
    	<ResponseActions>
    		<ITRTResponseAction>
    			<ProviderConfig>010000000F0000003200350035002E003200350035002E003200350035002E00320035003500060000007000750062006C006900630001000000360003000000310030003000100000000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000001000000060F000000250061006C006500720074002E0041006C006500720074004900640025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000A000000060E000000250061006C006500720074002E00520075006C0065004900440025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000B0000000610000000250061006C006500720074002E00520075006C0065004E0061006D00650025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000C0000000610000000250061006C006500720074002E0048006F00730074004E0061006D00650025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000D0000000612000000250061006C006500720074002E005300650072007600650072004E0061006D00650025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000E0000000613000000250061006C006500720074002E00470065006E006500720061007400650064004F006E0025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000F0000000611000000250061006C006500720074002E0041006C0065007200740043006F006400650025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000020000000615000000250061006C006500720074002E00540069006D006500470065006E0065007200610074006500640025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000003000000061A000000250061006C006500720074002E00540069006D006500470065006E006500720061007400650064004C006F00630061006C0025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000004000000060D000000250061006C006500720074002E005300740061007400650025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000005000000060C000000250061006C006500720074002E004E0061006D00650025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000060000000613000000250061006C006500720074002E004400650073006300720069007000740069006F006E0025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000070000000610000000250061006C006500720074002E005300650076006500720069007400790025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000008000000060F000000250061006C006500720074002E0043006F006D006D0065006E00740025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000090000000612000000250061006C006500720074002E00410073007300690067006E006500640054006F0025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000010000000062700000025006F007200670070006100720061006D003A005700450042004D004F004E00490054004F005200550052004C002500250061006C006500720074002E0061006C00650072007400690064002500</ProviderConfig>
    			<Guid>{C960F3B4-35D5-422A-99F5-F5870112BF7A}</Guid>
    			<Timeout>0</Timeout>
    			<Distribution></Distribution>
    			<Enabled>0</Enabled>
    			<ProviderId>{C3DFC923-4037-4C1B-A652-77767EBAF710}</ProviderId>
    			<ExecutionOrder>0</ExecutionOrder>
    			<Destination>0</Destination>
    		</ITRTResponseAction>
    	</ResponseActions>
    	<AlertFields>
    		<ITRTAlertField>
    			<Suppression>0</Suppression>
    			<Guid>{614E20BD-E2DB-4412-9C3D-AB03D65BB5BF}</Guid>
    			<FieldValue>%String1%</FieldValue>
    			<FieldName>User Name</FieldName>
    		</ITRTAlertField>
    		<ITRTAlertField>
    			<Suppression>0</Suppression>
    			<Guid>{A767FC57-9C29-4DB9-A086-46BB90DEBE3E}</Guid>
    			<FieldValue>%UserIP%</FieldValue>
    			<FieldName>Client IP</FieldName>
    		</ITRTAlertField>
    		<ITRTAlertField>
    			<Suppression>0</Suppression>
    			<Guid>{BC9F1A37-3AD4-4A63-A77F-6389B00E5129}</Guid>
    			<FieldValue>%String3%</FieldValue>
    			<FieldName>Service</FieldName>
    		</ITRTAlertField>
    	</AlertFields>
    </ITRTProcessingRule>
    

  • Regarding "Multiple pre-authentication failures, with computer account filtering"

    Thank you for that !

     

    Is there a way to know: "On Which RDP TERMINAL SERVER" the user tried and failed to login ??

    Like in this real example, I cannot see which terminal server the user "bebaruch" tried  to connect to and failed : 

    I received on each alert (after 10 failed tries) 2 emails  : 

    First :

    InTrust Major alert - There were 5 pre-authentication failures by bebaruch user (IP: ::ffff:10.1.6.19) attempting to gain access to the krbtgt/domain service

    Alert was generated on computer dc-lev5.DOMAIN.COM

     (10.1.6.19 is a dc server named dc-lev1)

     

    Second : 

    InTrust Major alert - There were 5 pre-authentication failures by bebaruch user (IP: ::ffff:10.1.5.39) attempting to gain access to the krbtgt/domain service

    Alert was generated on computer dc-lev1.domain.com.

     (10.1.5.39 is the physical computer that the user tried to RDP FROM(origin) but not the terminal server where the login actually failed )

    Thanks In Advance