• State Suggested Answer
  • Replies 14 replies
  • Answers 1 answer
  • Subscribers 14 subscribers
  • Views 8138 views
  • Users 0 members are here
Options
Related

Filter Out computer name in some Rules

benybb
over 3 years ago

Hello,

I wish to filter out the computer name in some rules.

The rules makes False alerts with the computer name as user name.

How exactely can i do that ?

Thanks in advance 

*********

Rule (I) : Member added to an administrative group


Member DOMAIN\JCT_Level_1_Support added to group Builtin\Administrators by DOMAIN\ELEC-403-111$.

Alert was generated on computer ELEC-403-111.DOMAIN.COM.

***************
Rule (I) : Change Password Attempt on Administrative Account


There was administrative account password change attempt by DOMAIN\LAU106-54-90$ user. Target account: LAU106-54-90\admin.

Alert was generated on computer LAU106-54-90.DOMAIN.COM.

****************
Rule (A) : User Account enabled by unauthorized personnel


Account T-LEC-9205\Ladmin enabled by DOMAIN\T-LEC-9205$.

Alert was generated on computer t-lec-9205.DOMAIN.COM

****************
Rule (A) : Multiple failed logons by the same user


There were 5 failed logons by user ADMIN\SAFECOM-LEV-ADM$ from workstation SAFECOM-LEV-ADM.

Alert was generated on computer p-baruch.DOMAIN.COM.

Parents
  • 0 over 3 years ago

    The third one, "User account enabled by unauthorized personnel with computer account filtering"

    User account enabled by unauthorized personnel with computer account filtering.xml 
    <?xml version="1.0" encoding="utf-8" ?>

<!--
==============================================================================

Copyright 2020 Quest Software Inc. ALL RIGHTS RESERVED.

$Workfile: User account enabled by unauthorized personnel with computer account filtering.xml $
$Revision: 0 $
$Modtime: 7/2/2020 3:44:42 AM $

==============================================================================
THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
==============================================================================
-->

<ITRTProcessingRule original_parent="\Configuration\Objects\{F81E88B8-5629-4698-AEB7-38731A4B1520}\RuleGroups\{C54162A9-E4D0-4747-97A1-8B0FFF7E0B85}\Rules">
	<LimitEventsCount>10</LimitEventsCount>
	<SuppressBySeverity>0</SuppressBySeverity>
	<Description><![CDATA[This rule is matched when a user account is enabled by personnel not specified as authorized. The rule's parameter is Authorized Groups. When specifying the Authorized Groups, include groups whose members are allowed to manage user accounts.
The rule disables both the operator account and the enabled account.
This rule cannot be used to monitor for actions performed using agent account.]]></Description>
	<GenerateAlert>1</GenerateAlert>
	<AlertInitialState>0</AlertInitialState>
	<Name>User account enabled by unauthorized personnel, with computer account filtering</Name>
	<Guid>{6FEBFEDA-DEE2-4C00-BCF0-75CF6F77901D}</Guid>
	<MatchCondition>01000000030500003C00720075006C006500200074007900700065003D002200520045004C0022002000760065007200730069006F006E003D00220031002E00300022003E000D000A003C0061007200670075006D0065006E00740073003E000D000A0020002000200020003C0061007200670075006D0065006E007400200064006900730070006C00610079006E0061006D0065003D002200470072006F007500700020004C00690073007400220020006E0061006D0065003D002200470072006F007500700020004C006900730074002200200063006C006100730073003D0022004C00690073007400220020006400650073006300720069007000740069006F006E003D002200410020006C0069007300740020006F0066002000670072006F00750070007300200066006F00720020006D0061006E006100670069006E0067002000750073006500720020006100630063006F0075006E0074007300200069006E00200061006E0020006F007200670061006E0069007A006100740069006F006E0022003E000D000A00200020002000200020002000200020003C00760061006C00750065003E002200410064006D0069006E006900730074007200610074006F007200730022002C0022004100630063006F0075006E00740020004F00700065007200610074006F007200730022003C002F00760061006C00750065003E000D000A0020002000200020003C002F0061007200670075006D0065006E0074003E000D000A0020002000200020003C0061007200670075006D0065006E007400200064006900730070006C00610079006E0061006D0065003D00220043006F006E007300690064006500720020004F00700065007200610074006F007200200043006F006D007000750074006500720020004100630063006F0075006E0074007300220020006E0061006D0065003D0022004F00700065007200610074006F00720043006F006D00700075007400650072004100630063006F0075006E0074007300220020006400650073006300720069007000740069006F006E003D002200300020002D0020006500780063006C0075006400650020006F00700065007200610074006F007200200063006F006D007000750074006500720020006100630063006F0075006E00740073002000660072006F006D00200063006F006E00730069006400650072006100740069006F006E002C002000310020002D00200063006F006E007300690064006500720020006F00700065007200610074006F007200200063006F006D007000750074006500720020006100630063006F0075006E00740073002E002200200063006C006100730073003D0022004E0075006D0062006500720022003E000D000A00200020002000200020002000200020003C00760061006C00750065003E0030003C002F00760061006C00750065003E000D000A0020002000200020003C002F0061007200670075006D0065006E0074003E000D000A003C002F0061007200670075006D0065006E00740073003E000D000A003C00700072006500660069006C007400650072003E000D000A003C002F00700072006500660069006C007400650072003E000D000A003C0062006F00640079003E000D000A000D000A006400650066002000760061006C006900640061007400650043006F006D00700075007400650072004100630063006F0075006E007400280070006100720061006D002C0020007300740072004E00290020003A003D000D000A007B000D000A0020002000200020006E006F0074002000280070006100720061006D0020003D0020003000200061006E0064002000730075006200730074007200280020007300740072004E002C0020007300740072006C0065006E0028007300740072004E00290020002D00200031002C00200031002000290020003D00200022002400220029000D000A007D000D000A000D000A004500760065006E0074004900440020003D00200034003700320032000D000A0061006E00640020006E006F00740020006500780069007300740028002000700072006500760069006F00750073005F006C0069006D00280020005A002E004500760065006E0074004900440020003D0020003400370032003000200061006E00640020005A002E0053007400720069006E006700310020003D00200053007400720069006E00670031002C0020002200300030003A00300030003A003000310022002000290029000D000A0061006E00640020006E006F0074002000690073005F00630075007200720065006E0074005F0075007300650072002800200053007400720069006E00670036002C00200053007400720069006E0067003500200029000D000A0061006E00640020006E006F00740020006D0065006D006200650072005F006F006600280020007300740072006300610074002800200053007400720069006E00670036002C00200022005C005C0022002C00200053007400720069006E0067003500200029002C0020006100720072006100790028003C0070006100720061006D00650074006500720020006E0061006D0065003D002200470072006F007500700020004C0069007300740022002F003E0029002C0020007400720075006500200029000D000A0061006E0064002000760061006C006900640061007400650043006F006D00700075007400650072004100630063006F0075006E00740028003C0070006100720061006D00650074006500720020006E0061006D0065003D0022004F00700065007200610074006F00720043006F006D00700075007400650072004100630063006F0075006E007400730022003E003C002F0070006100720061006D0065007400650072003E002C00200053007400720069006E006700350029000D000A0061006E00640020007300650074005F0061006C006500720074005F006600690065006C006400280022004F00700065007200610074006F0072004E0061006D00650022002C00200053007400720069006E00670035002C002000740072007500650029000D000A0061006E00640020007300650074005F0061006C006500720074005F006600690065006C006400280022004F00700065007200610074006F00720044006F006D00610069006E0022002C00200053007400720069006E00670036002C002000740072007500650029000D000A0061006E00640020007300650074005F0061006C006500720074005F006600690065006C006400280022005400610072006700650074004E0061006D00650022002C00200053007400720069006E00670031002C002000740072007500650029000D000A0061006E00640020007300650074005F0061006C006500720074005F006600690065006C0064002800220054006100720067006500740044006F006D00610069006E0022002C00200053007400720069006E00670032002C002000740072007500650029003B000D000A000D000A003C002F0062006F00640079003E000D000A003C002F00720075006C0065003E00</MatchCondition>
	<AlertSeverity>32</AlertSeverity>
	<Enabled>1</Enabled>
	<SuppressByAlertCode>0</SuppressByAlertCode>
	<Schedule>00000000000000000000000000000000000000000000000000000000</Schedule>
	<VendorKnowledgeBase>01000000EA0000004F006E006C007900200061007500740068006F00720069007A00650064002000610064006D0069006E006900730074007200610074006F00720073002000730068006F0075006C006400200065006E00610062006C0065002000750073006500720020006100630063006F0075006E00740073002E00200049006600200073006F006D0065006F006E006500200065006C0073006500200064006F00650073002C002000740068006900730020006D0061007900200069006E00640069006300610074006500200061002000700072006F0062006C0065006D002E00200049006E00200073007500630068002000630061007300650073002C00200074006800650020006D006F007400690076006100740069006F006E00200066006F007200200065006E00610062006C0069006E006700200074006800650020006100630063006F0075006E007400200069007300200075006E006B006E006F0077006E002E002000570068006100740020006900730020006D006F00720065002C002000740068006500200063006F00720070006F007200610074006500200070006F006C006900630079002000690073002000760069006F006C0061007400650064002000740068006900730020007700610079002E00</VendorKnowledgeBase>
	<ConditionType>{E00EE0F1-B3DF-4122-89B4-738EF5EC1C52}</ConditionType>
	<SuppressByName>0</SuppressByName>
	<AlertSuppression>0</AlertSuppression>
	<CustomerKnowledgeBase>0100000000000000</CustomerKnowledgeBase>
	<Distribution></Distribution>
	<AlertName>Account %Target Account Domain%\%Target Account Name% enabled by %Operator Account Domain%\%Operator Account Name%</AlertName>
	<SuppressByRuleID>0</SuppressByRuleID>
	<DoNotSaveEvents>0</DoNotSaveEvents>
	<SuppressByHostName>0</SuppressByHostName>
	<Condition></Condition>
	<AlertComment></AlertComment>
	<FilterCondition>0100000000000000</FilterCondition>
	<AlertDescription></AlertDescription>
	<ScheduleEnabled>0</ScheduleEnabled>
	<SuppressBySiteID>0</SuppressBySiteID>
	<AlertAssignment></AlertAssignment>
	<RuleDistribution>0</RuleDistribution>
	<AlertCode>AE_AD_SEC_0131 (2)</AlertCode>
	
	<NotificationFormats>
		<ITRTNotificationFormat>
			<Guid>{DFC92E40-3098-4627-BDF5-2C0266AEBF6D}</Guid>
			<ComposerTemplate>01000000F834885B1C14B949960CC37CE508B1D02100000049006E005400720075007300740020002500530065007600650072006900740079002500200061006C0065007200740020002D00200025004E0061006D0065002500050000007500740066002D003800BD01000025004400650073006300720069007000740069006F006E0025000D000A000A000A0041006C0065007200740020007700610073002000670065006E0065007200610074006500640020006F006E00200063006F006D00700075007400650072002000250041006C006500720074002E0048006F00730074004E0061006D00650025002E000A0041006C0065007200740020007700610073002000670065006E006500720061007400650064002000610074002000250041006C006500720074002E00540069006D006500470065006E006500720061007400650064004C006F00630061006C00250020002800250041006C006500720074002E00540069006D006500470065006E006500720061007400650064002500200047004D00540029002E000D000A000A000A0046006F007200200061006C00650072007400200069006E0066006F0072006D006100740069006F006E002C00200066006F006C006C006F007700200074006800650020006C0069006E006B00200074006F0020004D006F006E00690074006F00720069006E006700200043006F006E0073006F006C0065003A00200025006F007200670070006100720061006D003A005700450042004D004F004E00490054004F005200550052004C002500250061006C006500720074002E0061006C006500720074006900640025000D000A000A0046006F00720020006500760065006E007400200061006E0061006C0079007300690073002C00200066006F006C006C006F007700200074006800650020006C0069006E006B00200074006F0020004900540020005300650063007500720069007400790020005300650061007200630068003A002000220025006F007200670070006100720061006D003A0049005400530065006100720063006800410064006400720065007300730025002F0023002F007300650061007200630068002F006500760065006E00740073003F0071003D004500760065006E00740049004400250025003300440025004500760065006E007400490044002500250025003200300041004E0044002500250032003000570068006F00250025003300440025002500320032002500570068006F0025002500250032003200250025003200300041004E00440025002500320030005700680065007200650025002500330044002500250032003200250057006800650072006500250025002500320032002200</ComposerTemplate>
			<ComposerId>{C40DBB2E-DF56-43AC-8392-EFB2D0DDCC5A}</ComposerId>
			<Enabled>1</Enabled>
			<NotificationType>{E01E93C2-938C-4BBD-88D9-0FD3B0E631E4}</NotificationType>
			
		</ITRTNotificationFormat>
	</NotificationFormats>
	<DataSources>
		<ITRTRuleDataSource>
			<Guid>{EAA31AEB-1F6D-45B8-9EC8-10EE06D97110}</Guid>
			<DataSourceId>{A8CFC803-CDAD-47C5-B195-4C043A4F4BC7}</DataSourceId>
			
		</ITRTRuleDataSource>
	</DataSources>
	<ResponseActions>
		<ITRTResponseAction>
			<ProviderConfig>01000000260000007B00360042003600310030004600330034002D0032003700310044002D0034003400340046002D0039003600450033002D004500330030004300430041003900340045003800300036007D0002000000260000007B00340031004400420030004500390034002D0031004400310032002D0034004400360030002D0039004600440031002D003800350031004200370036003500440036004100440035007D0015000000250054006100720067006500740020004100630063006F0075006E00740020004E0061006D0065002500260000007B00460045004600380046004200410038002D0041004200330044002D0034003900430039002D0038003200360031002D003300430042003700440045003500410041003400380033007D0017000000250054006100720067006500740020004100630063006F0075006E007400200044006F006D00610069006E002500</ProviderConfig>
			<Guid>{B2354848-A20E-48C4-B473-3642E65B6D31}</Guid>
			<Timeout>0</Timeout>
			<Distribution></Distribution>
			<Enabled>0</Enabled>
			<ProviderId>{E5D8E6C5-488A-42BF-B636-065E970F0067}</ProviderId>
			<ExecutionOrder>1</ExecutionOrder>
			<Destination>0</Destination>
			
		</ITRTResponseAction>
		<ITRTResponseAction>
			<ProviderConfig>01000000260000007B00360042003600310030004600330034002D0032003700310044002D0034003400340046002D0039003600450033002D004500330030004300430041003900340045003800300036007D0002000000260000007B00340031004400420030004500390034002D0031004400310032002D0034004400360030002D0039004600440031002D003800350031004200370036003500440036004100440035007D001700000025004F00700065007200610074006F00720020004100630063006F0075006E00740020004E0061006D0065002500260000007B00460045004600380046004200410038002D0041004200330044002D0034003900430039002D0038003200360031002D003300430042003700440045003500410041003400380033007D001900000025004F00700065007200610074006F00720020004100630063006F0075006E007400200044006F006D00610069006E002500</ProviderConfig>
			<Guid>{AC693D4F-76B1-4661-A084-458627D5D2AF}</Guid>
			<Timeout>0</Timeout>
			<Distribution></Distribution>
			<Enabled>0</Enabled>
			<ProviderId>{E5D8E6C5-488A-42BF-B636-065E970F0067}</ProviderId>
			<ExecutionOrder>0</ExecutionOrder>
			<Destination>0</Destination>
			
		</ITRTResponseAction>
		<ITRTResponseAction>
			<ProviderConfig>010000000F0000003200350035002E003200350035002E003200350035002E00320035003500060000007000750062006C006900630001000000360003000000310030003000100000000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000001000000060F000000250061006C006500720074002E0041006C006500720074004900640025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000A000000060E000000250061006C006500720074002E00520075006C0065004900440025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000B0000000610000000250061006C006500720074002E00520075006C0065004E0061006D00650025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000C0000000610000000250061006C006500720074002E0048006F00730074004E0061006D00650025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000D0000000612000000250061006C006500720074002E005300650072007600650072004E0061006D00650025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000E0000000613000000250061006C006500720074002E00470065006E006500720061007400650064004F006E0025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000F0000000611000000250061006C006500720074002E0041006C0065007200740043006F006400650025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000020000000615000000250061006C006500720074002E00540069006D006500470065006E0065007200610074006500640025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000003000000061A000000250061006C006500720074002E00540069006D006500470065006E006500720061007400650064004C006F00630061006C0025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000004000000060D000000250061006C006500720074002E005300740061007400650025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000005000000060C000000250061006C006500720074002E004E0061006D00650025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000060000000613000000250061006C006500720074002E004400650073006300720069007000740069006F006E0025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000070000000610000000250061006C006500720074002E005300650076006500720069007400790025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000008000000060F000000250061006C006500720074002E0043006F006D006D0065006E00740025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000090000000612000000250061006C006500720074002E00410073007300690067006E006500640054006F0025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000010000000062700000025006F007200670070006100720061006D003A005700450042004D004F004E00490054004F005200550052004C002500250061006C006500720074002E0061006C00650072007400690064002500</ProviderConfig>
			<Guid>{FAEFCBEC-6366-4D74-90F8-5FBF7A1F386E}</Guid>
			<Timeout>0</Timeout>
			<Distribution></Distribution>
			<Enabled>0</Enabled>
			<ProviderId>{C3DFC923-4037-4C1B-A652-77767EBAF710}</ProviderId>
			<ExecutionOrder>2</ExecutionOrder>
			<Destination>0</Destination>
			
		</ITRTResponseAction>
	</ResponseActions>
	<AlertFields>
		<ITRTAlertField>
			<Suppression>0</Suppression>
			<Guid>{3966DE27-5670-4874-B0CF-2E2B8441D108}</Guid>
			<FieldValue>%TargetName%</FieldValue>
			<FieldName>Target Account Name</FieldName>
			
		</ITRTAlertField>
		<ITRTAlertField>
			<Suppression>0</Suppression>
			<Guid>{B1AE2630-EACB-4A51-8EAD-40A969E0E1BB}</Guid>
			<FieldValue>%TargetDomain%</FieldValue>
			<FieldName>Target Account Domain</FieldName>
			
		</ITRTAlertField>
		<ITRTAlertField>
			<Suppression>0</Suppression>
			<Guid>{970AA464-C71B-46D9-B56D-B2B8F746E695}</Guid>
			<FieldValue>%OperatorDomain%</FieldValue>
			<FieldName>Operator Account Domain</FieldName>
			
		</ITRTAlertField>
		<ITRTAlertField>
			<Suppression>0</Suppression>
			<Guid>{41339110-7070-40CC-897F-BB62D693C86B}</Guid>
			<FieldValue>%OperatorName%</FieldValue>
			<FieldName>Operator Account Name</FieldName>
			
		</ITRTAlertField>
	</AlertFields>
</ITRTProcessingRule>

Reply Children
No Data