• State Suggested Answer
  • Replies 14 replies
  • Answers 1 answer
  • Subscribers 14 subscribers
  • Views 8163 views
  • Users 0 members are here
Options
Related

Filter Out computer name in some Rules

benybb
over 3 years ago

Hello,

I wish to filter out the computer name in some rules.

The rules makes False alerts with the computer name as user name.

How exactely can i do that ?

Thanks in advance 

*********

Rule (I) : Member added to an administrative group


Member DOMAIN\JCT_Level_1_Support added to group Builtin\Administrators by DOMAIN\ELEC-403-111$.

Alert was generated on computer ELEC-403-111.DOMAIN.COM.

***************
Rule (I) : Change Password Attempt on Administrative Account


There was administrative account password change attempt by DOMAIN\LAU106-54-90$ user. Target account: LAU106-54-90\admin.

Alert was generated on computer LAU106-54-90.DOMAIN.COM.

****************
Rule (A) : User Account enabled by unauthorized personnel


Account T-LEC-9205\Ladmin enabled by DOMAIN\T-LEC-9205$.

Alert was generated on computer t-lec-9205.DOMAIN.COM

****************
Rule (A) : Multiple failed logons by the same user


There were 5 failed logons by user ADMIN\SAFECOM-LEV-ADM$ from workstation SAFECOM-LEV-ADM.

Alert was generated on computer p-baruch.DOMAIN.COM.

Parents
  • 0 over 3 years ago

    The fourth one, "Multiple failed logons by the same user with computer account filtering"

    Multiple failed logons by the same user with computer account filtering.xml 
    <?xml version="1.0" encoding="utf-8" ?>

<!--
==============================================================================

Copyright 2020 Quest Software Inc. ALL RIGHTS RESERVED.

$Workfile: Multiple failed logons by the same user with computer account filtering.xml $
$Revision: 0 $
$Modtime: 7/2/2020 9:32:17 AM $

==============================================================================
THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
==============================================================================
-->

<ITRTProcessingRule original_parent="\Configuration\Objects\{F81E88B8-5629-4698-AEB7-38731A4B1520}\RuleGroups\{C54162A9-E4D0-4747-97A1-8B0FFF7E0B85}\Rules">
	<LimitEventsCount>10</LimitEventsCount>
	<SuppressBySeverity>0</SuppressBySeverity>
	<Description><![CDATA[This rule is matched when there are more than the specified number of failed logons made by the same user within the specified period of time.
The rule's parameters are Threshold and Time Period. When specifying the Threshold, supply the number of failed logon attempts. The rule will be matched when the threshold is exceeded. When specifying the Time Period, supply the time length within which the attempts must occur.]]></Description>
	<GenerateAlert>1</GenerateAlert>
	<AlertInitialState>0</AlertInitialState>
	<Name>Multiple failed logons by the same user, with computer account filtering</Name>
	<Guid>{9EC55E7B-B8EC-4420-84CC-4EDEFC271EB0}</Guid>
	<MatchCondition>010000004A0700003C003F0078006D006C002000760065007200730069006F006E003D00220031002E00300022003F003E000D000A003C00720075006C006500200074007900700065003D002200520045004C0022002000760065007200730069006F006E003D00220031002E00300022003E000D000A003C0061007200670075006D0065006E00740073003E000D000A0020002000200020003C0061007200670075006D0065006E007400200064006900730070006C00610079006E0061006D0065003D002200540069006D006500200070006500720069006F006400220020006E0061006D0065003D002200540069006D006500200070006500720069006F006400220020006400650073006300720069007000740069006F006E003D002200540069006D006500200070006500720069006F0064002000770069007400680069006E00200077006800690063006800200074006800650020006500760065006E007400730020006F0063006300750072007200650064002E002200200063006C006100730073003D0022004400610074006500540069006D006500520061006E006700650022003E000D000A00200020002000200020002000200020003C00760061006C00750065003E002200300030003A00300031003A003000300022003C002F00760061006C00750065003E000D000A0020002000200020003C002F0061007200670075006D0065006E0074003E000D000A0020002000200020003C0061007200670075006D0065006E007400200064006900730070006C00610079006E0061006D0065003D0022005400680072006500730068006F006C006400220020006E0061006D0065003D0022005400680072006500730068006F006C006400220020006400650073006300720069007000740069006F006E003D0022004500760065006E007400730020007400680072006500730068006F006C0064002E002200200063006C006100730073003D0022004E0075006D0062006500720022003E000D000A00200020002000200020002000200020003C00760061006C00750065003E0035003C002F00760061006C00750065003E000D000A0020002000200020003C002F0061007200670075006D0065006E0074003E000D000A0020002000200020003C0061007200670075006D0065006E007400200064006900730070006C00610079006E0061006D0065003D00220043006F006E007300690064006500720020004F00700065007200610074006F007200200043006F006D007000750074006500720020004100630063006F0075006E0074007300220020006E0061006D0065003D0022004F00700065007200610074006F00720043006F006D00700075007400650072004100630063006F0075006E0074007300220020006400650073006300720069007000740069006F006E003D002200300020002D0020006500780063006C0075006400650020006F00700065007200610074006F007200200063006F006D007000750074006500720020006100630063006F0075006E00740073002000660072006F006D00200063006F006E00730069006400650072006100740069006F006E002C002000310020002D00200063006F006E007300690064006500720020006F00700065007200610074006F007200200063006F006D007000750074006500720020006100630063006F0075006E00740073002E002200200063006C006100730073003D0022004E0075006D0062006500720022003E000D000A00200020002000200020002000200020003C00760061006C00750065003E0030003C002F00760061006C00750065003E000D000A0020002000200020003C002F0061007200670075006D0065006E0074003E000D000A003C002F0061007200670075006D0065006E00740073003E000D000A003C00700072006500660069006C007400650072003E000D000A000D000A004500760065006E0074004900440020003D002000340036003200350020000D000A0061006E0064002000280020007300740072006900650071007500280053007400720069006E00670038002C0020002200300078006300300030003000300030003600640022002900200061006E00640020007300740072006900650071007500280053007400720069006E006700310030002C002000220030007800630030003000300030003000360034002200290020006F0072000D000A002000200020002000200020007300740072006900650071007500280053007400720069006E00670038002C0020002200300078006300300030003000300030003600640022002900200061006E00640020007300740072006900650071007500280053007400720069006E006700310030002C0020002200300078006300300030003000300030003600610022002900200029003B000D000A000D000A003C002F00700072006500660069006C007400650072003E000D000A003C0062006F00640079003E000D000A000D000A006400650066002000760061006C006900640061007400650043006F006D00700075007400650072004100630063006F0075006E007400280070006100720061006D002C0020007300740072004E00290020003A003D000D000A007B000D000A0020002000200020006E006F0074002000280070006100720061006D0020003D0020003000200061006E0064002000730075006200730074007200280020007300740072004E002C0020007300740072006C0065006E0028007300740072004E00290020002D00200031002C00200031002000290020003D00200022002400220029000D000A007D000D000A000D000A0063006F0075006E0074002800730065006C006500630074005F00660069006C007400650072006500640028000D000A0020002000200020004500760065006E0074004900440020003D0020003400360032003500200061006E0064002000760061006C006900640061007400650043006F006D00700075007400650072004100630063006F0075006E00740028003C0070006100720061006D00650074006500720020006E0061006D0065003D0022004F00700065007200610074006F00720043006F006D00700075007400650072004100630063006F0075006E007400730022003E003C002F0070006100720061006D0065007400650072003E002C00200053007400720069006E006700360029000D000A00200020002000200020002000200020002000200020002000200020002000200020002000200061006E006400200028007300740072006900650071007500280053007400720069006E00670038002C0020002200300078006300300030003000300030003600640022002900200061006E00640020007300740072006900650071007500280053007400720069006E006700310030002C002000220030007800630030003000300030003000360034002200290020006F0072000D000A002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020007300740072006900650071007500280053007400720069006E00670038002C0020002200300078006300300030003000300030003600640022002900200061006E00640020007300740072006900650071007500280053007400720069006E006700310030002C002000220030007800630030003000300030003000360061002200290029002C000D000A0020002000200020007300740072006900650071007500280020005A002E0053007400720069006E00670036002C00200053007400720069006E006700360020002900200061006E00640020007300740072006900650071007500280020005A002E0053007400720069006E00670037002C00200053007400720069006E0067003700200029002C000D000A0020002000200020003C0070006100720061006D00650074006500720020006E0061006D0065003D002200540069006D006500200070006500720069006F00640022003E003C002F0070006100720061006D0065007400650072003E002000290029000D000A00200020002000200020002000200020002600670074003B003D0020003C0070006100720061006D00650074006500720020006E0061006D0065003D0022005400680072006500730068006F006C00640022003E003C002F0070006100720061006D0065007400650072003E000D000A000D000A0061006E006400200065006D007000740079002800730065006C006500630074005F006D0061007400630068006500730028000D000A0020002000200020007300740072006900650071007500280020005A005B0030005D002E0053007400720069006E00670036002C00200053007400720069006E006700360020002900200061006E00640020007300740072006900650071007500280020005A005B0030005D002E0053007400720069006E00670037002C00200053007400720069006E0067003700200029002C000D000A0020002000200020003C0070006100720061006D00650074006500720020006E0061006D0065003D002200540069006D006500200070006500720069006F00640022003E003C002F0070006100720061006D0065007400650072003E000D000A002000200020002000290029000D000A000D000A0061006E00640020007300650074005F0061006C006500720074005F006600690065006C006400280022005F005500730072004E0061006D00650022002C00200053007400720069006E00670036002C002000740072007500650029000D000A0061006E00640020007300650074005F0061006C006500720074005F006600690065006C006400280022005F0055007300720044006F006D00610069006E0022002C00200053007400720069006E00670037002C002000740072007500650029000D000A0061006E00640020007300650074005F0061006C006500720074005F006600690065006C006400280022005F0057006F0072006B00530074006100740069006F006E0022002C00200053007400720069006E006700310034002C002000740072007500650029003B000D000A000D000A003C002F0062006F00640079003E000D000A003C002F00720075006C0065003E000D000A00</MatchCondition>
	<AlertSeverity>32</AlertSeverity>
	<Enabled>1</Enabled>
	<SuppressByAlertCode>0</SuppressByAlertCode>
	<Schedule>00000000000000000000000000000000000000000000000000000000</Schedule>
	<VendorKnowledgeBase>01000000530000004D0075006C007400690070006C00650020006600610069006C006500640020006C006F0067006F006E00730020006D0061007900200069006E00640069006300610074006500200069006E0074007200750064006500720020006100630074006900760069007400790020007300750063006800200061007300200061002000620072007500740065002D0066006F007200630065002000610074007400610063006B002E00</VendorKnowledgeBase>
	<ConditionType>{E00EE0F1-B3DF-4122-89B4-738EF5EC1C52}</ConditionType>
	<SuppressByName>0</SuppressByName>
	<AlertSuppression>0</AlertSuppression>
	<CustomerKnowledgeBase>0100000000000000</CustomerKnowledgeBase>
	<Distribution></Distribution>
	<AlertName>There were %match.eventcount% failed logons by user %User Domain%\%User Name% from workstation %Workstation%</AlertName>
	<SuppressByRuleID>0</SuppressByRuleID>
	<DoNotSaveEvents>0</DoNotSaveEvents>
	<SuppressByHostName>0</SuppressByHostName>
	<Condition></Condition>
	<AlertComment></AlertComment>
	<FilterCondition>0100000000000000</FilterCondition>
	<AlertDescription></AlertDescription>
	<ScheduleEnabled>0</ScheduleEnabled>
	<SuppressBySiteID>0</SuppressBySiteID>
	<AlertAssignment></AlertAssignment>
	<RuleDistribution>0</RuleDistribution>
	<AlertCode>AE_AD_ATP_0035 (2)</AlertCode>
	<NotificationFormats>
		<ITRTNotificationFormat>
			<Guid>{AC77BF67-2CBC-44D7-833D-45BA6D06670F}</Guid>
			<ComposerTemplate>01000000F834885B1C14B949960CC37CE508B1D02100000049006E005400720075007300740020002500530065007600650072006900740079002500200061006C0065007200740020002D00200025004E0061006D0065002500050000007500740066002D003800BD01000025004400650073006300720069007000740069006F006E0025000D000A000A000A0041006C0065007200740020007700610073002000670065006E0065007200610074006500640020006F006E00200063006F006D00700075007400650072002000250041006C006500720074002E0048006F00730074004E0061006D00650025002E000A0041006C0065007200740020007700610073002000670065006E006500720061007400650064002000610074002000250041006C006500720074002E00540069006D006500470065006E006500720061007400650064004C006F00630061006C00250020002800250041006C006500720074002E00540069006D006500470065006E006500720061007400650064002500200047004D00540029002E000D000A000A000A0046006F007200200061006C00650072007400200069006E0066006F0072006D006100740069006F006E002C00200066006F006C006C006F007700200074006800650020006C0069006E006B00200074006F0020004D006F006E00690074006F00720069006E006700200043006F006E0073006F006C0065003A00200025006F007200670070006100720061006D003A005700450042004D004F004E00490054004F005200550052004C002500250061006C006500720074002E0061006C006500720074006900640025000D000A000A0046006F00720020006500760065006E007400200061006E0061006C0079007300690073002C00200066006F006C006C006F007700200074006800650020006C0069006E006B00200074006F0020004900540020005300650063007500720069007400790020005300650061007200630068003A002000220025006F007200670070006100720061006D003A0049005400530065006100720063006800410064006400720065007300730025002F0023002F007300650061007200630068002F006500760065006E00740073003F0071003D004500760065006E00740049004400250025003300440025004500760065006E007400490044002500250025003200300041004E0044002500250032003000570068006F00250025003300440025002500320032002500570068006F0025002500250032003200250025003200300041004E00440025002500320030005700680065007200650025002500330044002500250032003200250057006800650072006500250025002500320032002200</ComposerTemplate>
			<ComposerId>{C40DBB2E-DF56-43AC-8392-EFB2D0DDCC5A}</ComposerId>
			<Enabled>1</Enabled>
			<NotificationType>{E01E93C2-938C-4BBD-88D9-0FD3B0E631E4}</NotificationType>
		</ITRTNotificationFormat>
	</NotificationFormats>
	<DataSources>
		<ITRTRuleDataSource>
			<Guid>{B619E7A5-187B-4017-AE48-D681F3AE6DBE}</Guid>
			<DataSourceId>{A8CFC803-CDAD-47C5-B195-4C043A4F4BC7}</DataSourceId>
		</ITRTRuleDataSource>
	</DataSources>
	<ResponseActions>
		<ITRTResponseAction>
			<ProviderConfig>010000000F0000003200350035002E003200350035002E003200350035002E00320035003500060000007000750062006C006900630001000000360003000000310030003000100000000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000001000000060F000000250061006C006500720074002E0041006C006500720074004900640025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000A000000060E000000250061006C006500720074002E00520075006C0065004900440025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000B0000000610000000250061006C006500720074002E00520075006C0065004E0061006D00650025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000C0000000610000000250061006C006500720074002E0048006F00730074004E0061006D00650025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000D0000000612000000250061006C006500720074002E005300650072007600650072004E0061006D00650025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000E0000000613000000250061006C006500720074002E00470065006E006500720061007400650064004F006E0025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000F0000000611000000250061006C006500720074002E0041006C0065007200740043006F006400650025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000020000000615000000250061006C006500720074002E00540069006D006500470065006E0065007200610074006500640025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000003000000061A000000250061006C006500720074002E00540069006D006500470065006E006500720061007400650064004C006F00630061006C0025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000004000000060D000000250061006C006500720074002E005300740061007400650025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000005000000060C000000250061006C006500720074002E004E0061006D00650025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000060000000613000000250061006C006500720074002E004400650073006300720069007000740069006F006E0025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000070000000610000000250061006C006500720074002E005300650076006500720069007400790025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000008000000060F000000250061006C006500720074002E0043006F006D006D0065006E00740025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000090000000612000000250061006C006500720074002E00410073007300690067006E006500640054006F0025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000010000000062700000025006F007200670070006100720061006D003A005700450042004D004F004E00490054004F005200550052004C002500250061006C006500720074002E0061006C00650072007400690064002500</ProviderConfig>
			<Guid>{4A3A1A11-685D-426B-AD27-77FAA955352C}</Guid>
			<Timeout>0</Timeout>
			<Distribution></Distribution>
			<Enabled>0</Enabled>
			<ProviderId>{C3DFC923-4037-4C1B-A652-77767EBAF710}</ProviderId>
			<ExecutionOrder>1</ExecutionOrder>
			<Destination>0</Destination>
		</ITRTResponseAction>
		<ITRTResponseAction>
			<ProviderConfig>01000000260000007B00360042003600310030004600330034002D0032003700310044002D0034003400340046002D0039003600450033002D004500330030004300430041003900340045003800300036007D0002000000260000007B00340031004400420030004500390034002D0031004400310032002D0034004400360030002D0039004600440031002D003800350031004200370036003500440036004100440035007D000B0000002500550073006500720020004E0061006D0065002500260000007B00460045004600380046004200410038002D0041004200330044002D0034003900430039002D0038003200360031002D003300430042003700440045003500410041003400380033007D000D00000025005500730065007200200044006F006D00610069006E002500</ProviderConfig>
			<Guid>{D46B0090-DF57-4520-832B-B37029D59822}</Guid>
			<Timeout>0</Timeout>
			<Distribution></Distribution>
			<Enabled>0</Enabled>
			<ProviderId>{E5D8E6C5-488A-42BF-B636-065E970F0067}</ProviderId>
			<ExecutionOrder>0</ExecutionOrder>
			<Destination>0</Destination>
		</ITRTResponseAction>
	</ResponseActions>
	<AlertFields>
		<ITRTAlertField>
			<Suppression>0</Suppression>
			<Guid>{2AEA1EDD-BFB9-4D28-A8F3-89B165C8260B}</Guid>
			<FieldValue>%_UsrDomain%</FieldValue>
			<FieldName>User Domain</FieldName>
		</ITRTAlertField>
		<ITRTAlertField>
			<Suppression>0</Suppression>
			<Guid>{736054BF-D2CE-41C8-95E8-32DB27E64635}</Guid>
			<FieldValue>%_WorkStation%</FieldValue>
			<FieldName>Workstation</FieldName>
		</ITRTAlertField>
		<ITRTAlertField>
			<Suppression>0</Suppression>
			<Guid>{FB48EECF-1E40-451E-9519-FA339F0760F2}</Guid>
			<FieldValue>%_UsrName%</FieldValue>
			<FieldName>User Name</FieldName>
		</ITRTAlertField>
	</AlertFields>
</ITRTProcessingRule>

Reply
  • 0 over 3 years ago

    The fourth one, "Multiple failed logons by the same user with computer account filtering"

    Multiple failed logons by the same user with computer account filtering.xml 
    <?xml version="1.0" encoding="utf-8" ?>

<!--
==============================================================================

Copyright 2020 Quest Software Inc. ALL RIGHTS RESERVED.

$Workfile: Multiple failed logons by the same user with computer account filtering.xml $
$Revision: 0 $
$Modtime: 7/2/2020 9:32:17 AM $

==============================================================================
THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
==============================================================================
-->

<ITRTProcessingRule original_parent="\Configuration\Objects\{F81E88B8-5629-4698-AEB7-38731A4B1520}\RuleGroups\{C54162A9-E4D0-4747-97A1-8B0FFF7E0B85}\Rules">
	<LimitEventsCount>10</LimitEventsCount>
	<SuppressBySeverity>0</SuppressBySeverity>
	<Description><![CDATA[This rule is matched when there are more than the specified number of failed logons made by the same user within the specified period of time.
The rule's parameters are Threshold and Time Period. When specifying the Threshold, supply the number of failed logon attempts. The rule will be matched when the threshold is exceeded. When specifying the Time Period, supply the time length within which the attempts must occur.]]></Description>
	<GenerateAlert>1</GenerateAlert>
	<AlertInitialState>0</AlertInitialState>
	<Name>Multiple failed logons by the same user, with computer account filtering</Name>
	<Guid>{9EC55E7B-B8EC-4420-84CC-4EDEFC271EB0}</Guid>
	<MatchCondition>010000004A0700003C003F0078006D006C002000760065007200730069006F006E003D00220031002E00300022003F003E000D000A003C00720075006C006500200074007900700065003D002200520045004C0022002000760065007200730069006F006E003D00220031002E00300022003E000D000A003C0061007200670075006D0065006E00740073003E000D000A0020002000200020003C0061007200670075006D0065006E007400200064006900730070006C00610079006E0061006D0065003D002200540069006D006500200070006500720069006F006400220020006E0061006D0065003D002200540069006D006500200070006500720069006F006400220020006400650073006300720069007000740069006F006E003D002200540069006D006500200070006500720069006F0064002000770069007400680069006E00200077006800690063006800200074006800650020006500760065006E007400730020006F0063006300750072007200650064002E002200200063006C006100730073003D0022004400610074006500540069006D006500520061006E006700650022003E000D000A00200020002000200020002000200020003C00760061006C00750065003E002200300030003A00300031003A003000300022003C002F00760061006C00750065003E000D000A0020002000200020003C002F0061007200670075006D0065006E0074003E000D000A0020002000200020003C0061007200670075006D0065006E007400200064006900730070006C00610079006E0061006D0065003D0022005400680072006500730068006F006C006400220020006E0061006D0065003D0022005400680072006500730068006F006C006400220020006400650073006300720069007000740069006F006E003D0022004500760065006E007400730020007400680072006500730068006F006C0064002E002200200063006C006100730073003D0022004E0075006D0062006500720022003E000D000A00200020002000200020002000200020003C00760061006C00750065003E0035003C002F00760061006C00750065003E000D000A0020002000200020003C002F0061007200670075006D0065006E0074003E000D000A0020002000200020003C0061007200670075006D0065006E007400200064006900730070006C00610079006E0061006D0065003D00220043006F006E007300690064006500720020004F00700065007200610074006F007200200043006F006D007000750074006500720020004100630063006F0075006E0074007300220020006E0061006D0065003D0022004F00700065007200610074006F00720043006F006D00700075007400650072004100630063006F0075006E0074007300220020006400650073006300720069007000740069006F006E003D002200300020002D0020006500780063006C0075006400650020006F00700065007200610074006F007200200063006F006D007000750074006500720020006100630063006F0075006E00740073002000660072006F006D00200063006F006E00730069006400650072006100740069006F006E002C002000310020002D00200063006F006E007300690064006500720020006F00700065007200610074006F007200200063006F006D007000750074006500720020006100630063006F0075006E00740073002E002200200063006C006100730073003D0022004E0075006D0062006500720022003E000D000A00200020002000200020002000200020003C00760061006C00750065003E0030003C002F00760061006C00750065003E000D000A0020002000200020003C002F0061007200670075006D0065006E0074003E000D000A003C002F0061007200670075006D0065006E00740073003E000D000A003C00700072006500660069006C007400650072003E000D000A000D000A004500760065006E0074004900440020003D002000340036003200350020000D000A0061006E0064002000280020007300740072006900650071007500280053007400720069006E00670038002C0020002200300078006300300030003000300030003600640022002900200061006E00640020007300740072006900650071007500280053007400720069006E006700310030002C002000220030007800630030003000300030003000360034002200290020006F0072000D000A002000200020002000200020007300740072006900650071007500280053007400720069006E00670038002C0020002200300078006300300030003000300030003600640022002900200061006E00640020007300740072006900650071007500280053007400720069006E006700310030002C0020002200300078006300300030003000300030003600610022002900200029003B000D000A000D000A003C002F00700072006500660069006C007400650072003E000D000A003C0062006F00640079003E000D000A000D000A006400650066002000760061006C006900640061007400650043006F006D00700075007400650072004100630063006F0075006E007400280070006100720061006D002C0020007300740072004E00290020003A003D000D000A007B000D000A0020002000200020006E006F0074002000280070006100720061006D0020003D0020003000200061006E0064002000730075006200730074007200280020007300740072004E002C0020007300740072006C0065006E0028007300740072004E00290020002D00200031002C00200031002000290020003D00200022002400220029000D000A007D000D000A000D000A0063006F0075006E0074002800730065006C006500630074005F00660069006C007400650072006500640028000D000A0020002000200020004500760065006E0074004900440020003D0020003400360032003500200061006E0064002000760061006C006900640061007400650043006F006D00700075007400650072004100630063006F0075006E00740028003C0070006100720061006D00650074006500720020006E0061006D0065003D0022004F00700065007200610074006F00720043006F006D00700075007400650072004100630063006F0075006E007400730022003E003C002F0070006100720061006D0065007400650072003E002C00200053007400720069006E006700360029000D000A00200020002000200020002000200020002000200020002000200020002000200020002000200061006E006400200028007300740072006900650071007500280053007400720069006E00670038002C0020002200300078006300300030003000300030003600640022002900200061006E00640020007300740072006900650071007500280053007400720069006E006700310030002C002000220030007800630030003000300030003000360034002200290020006F0072000D000A002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020007300740072006900650071007500280053007400720069006E00670038002C0020002200300078006300300030003000300030003600640022002900200061006E00640020007300740072006900650071007500280053007400720069006E006700310030002C002000220030007800630030003000300030003000360061002200290029002C000D000A0020002000200020007300740072006900650071007500280020005A002E0053007400720069006E00670036002C00200053007400720069006E006700360020002900200061006E00640020007300740072006900650071007500280020005A002E0053007400720069006E00670037002C00200053007400720069006E0067003700200029002C000D000A0020002000200020003C0070006100720061006D00650074006500720020006E0061006D0065003D002200540069006D006500200070006500720069006F00640022003E003C002F0070006100720061006D0065007400650072003E002000290029000D000A00200020002000200020002000200020002600670074003B003D0020003C0070006100720061006D00650074006500720020006E0061006D0065003D0022005400680072006500730068006F006C00640022003E003C002F0070006100720061006D0065007400650072003E000D000A000D000A0061006E006400200065006D007000740079002800730065006C006500630074005F006D0061007400630068006500730028000D000A0020002000200020007300740072006900650071007500280020005A005B0030005D002E0053007400720069006E00670036002C00200053007400720069006E006700360020002900200061006E00640020007300740072006900650071007500280020005A005B0030005D002E0053007400720069006E00670037002C00200053007400720069006E0067003700200029002C000D000A0020002000200020003C0070006100720061006D00650074006500720020006E0061006D0065003D002200540069006D006500200070006500720069006F00640022003E003C002F0070006100720061006D0065007400650072003E000D000A002000200020002000290029000D000A000D000A0061006E00640020007300650074005F0061006C006500720074005F006600690065006C006400280022005F005500730072004E0061006D00650022002C00200053007400720069006E00670036002C002000740072007500650029000D000A0061006E00640020007300650074005F0061006C006500720074005F006600690065006C006400280022005F0055007300720044006F006D00610069006E0022002C00200053007400720069006E00670037002C002000740072007500650029000D000A0061006E00640020007300650074005F0061006C006500720074005F006600690065006C006400280022005F0057006F0072006B00530074006100740069006F006E0022002C00200053007400720069006E006700310034002C002000740072007500650029003B000D000A000D000A003C002F0062006F00640079003E000D000A003C002F00720075006C0065003E000D000A00</MatchCondition>
	<AlertSeverity>32</AlertSeverity>
	<Enabled>1</Enabled>
	<SuppressByAlertCode>0</SuppressByAlertCode>
	<Schedule>00000000000000000000000000000000000000000000000000000000</Schedule>
	<VendorKnowledgeBase>01000000530000004D0075006C007400690070006C00650020006600610069006C006500640020006C006F0067006F006E00730020006D0061007900200069006E00640069006300610074006500200069006E0074007200750064006500720020006100630074006900760069007400790020007300750063006800200061007300200061002000620072007500740065002D0066006F007200630065002000610074007400610063006B002E00</VendorKnowledgeBase>
	<ConditionType>{E00EE0F1-B3DF-4122-89B4-738EF5EC1C52}</ConditionType>
	<SuppressByName>0</SuppressByName>
	<AlertSuppression>0</AlertSuppression>
	<CustomerKnowledgeBase>0100000000000000</CustomerKnowledgeBase>
	<Distribution></Distribution>
	<AlertName>There were %match.eventcount% failed logons by user %User Domain%\%User Name% from workstation %Workstation%</AlertName>
	<SuppressByRuleID>0</SuppressByRuleID>
	<DoNotSaveEvents>0</DoNotSaveEvents>
	<SuppressByHostName>0</SuppressByHostName>
	<Condition></Condition>
	<AlertComment></AlertComment>
	<FilterCondition>0100000000000000</FilterCondition>
	<AlertDescription></AlertDescription>
	<ScheduleEnabled>0</ScheduleEnabled>
	<SuppressBySiteID>0</SuppressBySiteID>
	<AlertAssignment></AlertAssignment>
	<RuleDistribution>0</RuleDistribution>
	<AlertCode>AE_AD_ATP_0035 (2)</AlertCode>
	<NotificationFormats>
		<ITRTNotificationFormat>
			<Guid>{AC77BF67-2CBC-44D7-833D-45BA6D06670F}</Guid>
			<ComposerTemplate>01000000F834885B1C14B949960CC37CE508B1D02100000049006E005400720075007300740020002500530065007600650072006900740079002500200061006C0065007200740020002D00200025004E0061006D0065002500050000007500740066002D003800BD01000025004400650073006300720069007000740069006F006E0025000D000A000A000A0041006C0065007200740020007700610073002000670065006E0065007200610074006500640020006F006E00200063006F006D00700075007400650072002000250041006C006500720074002E0048006F00730074004E0061006D00650025002E000A0041006C0065007200740020007700610073002000670065006E006500720061007400650064002000610074002000250041006C006500720074002E00540069006D006500470065006E006500720061007400650064004C006F00630061006C00250020002800250041006C006500720074002E00540069006D006500470065006E006500720061007400650064002500200047004D00540029002E000D000A000A000A0046006F007200200061006C00650072007400200069006E0066006F0072006D006100740069006F006E002C00200066006F006C006C006F007700200074006800650020006C0069006E006B00200074006F0020004D006F006E00690074006F00720069006E006700200043006F006E0073006F006C0065003A00200025006F007200670070006100720061006D003A005700450042004D004F004E00490054004F005200550052004C002500250061006C006500720074002E0061006C006500720074006900640025000D000A000A0046006F00720020006500760065006E007400200061006E0061006C0079007300690073002C00200066006F006C006C006F007700200074006800650020006C0069006E006B00200074006F0020004900540020005300650063007500720069007400790020005300650061007200630068003A002000220025006F007200670070006100720061006D003A0049005400530065006100720063006800410064006400720065007300730025002F0023002F007300650061007200630068002F006500760065006E00740073003F0071003D004500760065006E00740049004400250025003300440025004500760065006E007400490044002500250025003200300041004E0044002500250032003000570068006F00250025003300440025002500320032002500570068006F0025002500250032003200250025003200300041004E00440025002500320030005700680065007200650025002500330044002500250032003200250057006800650072006500250025002500320032002200</ComposerTemplate>
			<ComposerId>{C40DBB2E-DF56-43AC-8392-EFB2D0DDCC5A}</ComposerId>
			<Enabled>1</Enabled>
			<NotificationType>{E01E93C2-938C-4BBD-88D9-0FD3B0E631E4}</NotificationType>
		</ITRTNotificationFormat>
	</NotificationFormats>
	<DataSources>
		<ITRTRuleDataSource>
			<Guid>{B619E7A5-187B-4017-AE48-D681F3AE6DBE}</Guid>
			<DataSourceId>{A8CFC803-CDAD-47C5-B195-4C043A4F4BC7}</DataSourceId>
		</ITRTRuleDataSource>
	</DataSources>
	<ResponseActions>
		<ITRTResponseAction>
			<ProviderConfig>010000000F0000003200350035002E003200350035002E003200350035002E00320035003500060000007000750062006C006900630001000000360003000000310030003000100000000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000001000000060F000000250061006C006500720074002E0041006C006500720074004900640025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000A000000060E000000250061006C006500720074002E00520075006C0065004900440025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000B0000000610000000250061006C006500720074002E00520075006C0065004E0061006D00650025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000C0000000610000000250061006C006500720074002E0048006F00730074004E0061006D00650025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000D0000000612000000250061006C006500720074002E005300650072007600650072004E0061006D00650025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000E0000000613000000250061006C006500720074002E00470065006E006500720061007400650064004F006E0025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000F0000000611000000250061006C006500720074002E0041006C0065007200740043006F006400650025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000020000000615000000250061006C006500720074002E00540069006D006500470065006E0065007200610074006500640025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000003000000061A000000250061006C006500720074002E00540069006D006500470065006E006500720061007400650064004C006F00630061006C0025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000004000000060D000000250061006C006500720074002E005300740061007400650025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000005000000060C000000250061006C006500720074002E004E0061006D00650025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000060000000613000000250061006C006500720074002E004400650073006300720069007000740069006F006E0025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000070000000610000000250061006C006500720074002E005300650076006500720069007400790025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000008000000060F000000250061006C006500720074002E0043006F006D006D0065006E00740025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000090000000612000000250061006C006500720074002E00410073007300690067006E006500640054006F0025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000010000000062700000025006F007200670070006100720061006D003A005700450042004D004F004E00490054004F005200550052004C002500250061006C006500720074002E0061006C00650072007400690064002500</ProviderConfig>
			<Guid>{4A3A1A11-685D-426B-AD27-77FAA955352C}</Guid>
			<Timeout>0</Timeout>
			<Distribution></Distribution>
			<Enabled>0</Enabled>
			<ProviderId>{C3DFC923-4037-4C1B-A652-77767EBAF710}</ProviderId>
			<ExecutionOrder>1</ExecutionOrder>
			<Destination>0</Destination>
		</ITRTResponseAction>
		<ITRTResponseAction>
			<ProviderConfig>01000000260000007B00360042003600310030004600330034002D0032003700310044002D0034003400340046002D0039003600450033002D004500330030004300430041003900340045003800300036007D0002000000260000007B00340031004400420030004500390034002D0031004400310032002D0034004400360030002D0039004600440031002D003800350031004200370036003500440036004100440035007D000B0000002500550073006500720020004E0061006D0065002500260000007B00460045004600380046004200410038002D0041004200330044002D0034003900430039002D0038003200360031002D003300430042003700440045003500410041003400380033007D000D00000025005500730065007200200044006F006D00610069006E002500</ProviderConfig>
			<Guid>{D46B0090-DF57-4520-832B-B37029D59822}</Guid>
			<Timeout>0</Timeout>
			<Distribution></Distribution>
			<Enabled>0</Enabled>
			<ProviderId>{E5D8E6C5-488A-42BF-B636-065E970F0067}</ProviderId>
			<ExecutionOrder>0</ExecutionOrder>
			<Destination>0</Destination>
		</ITRTResponseAction>
	</ResponseActions>
	<AlertFields>
		<ITRTAlertField>
			<Suppression>0</Suppression>
			<Guid>{2AEA1EDD-BFB9-4D28-A8F3-89B165C8260B}</Guid>
			<FieldValue>%_UsrDomain%</FieldValue>
			<FieldName>User Domain</FieldName>
		</ITRTAlertField>
		<ITRTAlertField>
			<Suppression>0</Suppression>
			<Guid>{736054BF-D2CE-41C8-95E8-32DB27E64635}</Guid>
			<FieldValue>%_WorkStation%</FieldValue>
			<FieldName>Workstation</FieldName>
		</ITRTAlertField>
		<ITRTAlertField>
			<Suppression>0</Suppression>
			<Guid>{FB48EECF-1E40-451E-9519-FA339F0760F2}</Guid>
			<FieldValue>%_UsrName%</FieldValue>
			<FieldName>User Name</FieldName>
		</ITRTAlertField>
	</AlertFields>
</ITRTProcessingRule>

Children
  • 0 over 3 years ago in reply to Igor.Ilyin

    HI

    Regarding :"Multiple failed logons by the same user with computer account filtering"

    This new one send me still a lot of alerts with the "Computer Name" as Username - like those examples : 

    InTrust Major alert - There were 5 failed logons by user DOMAIN\MSTS-TAL1 from workstation MSTS-TAL1

    Alert was generated on computer msts-tal1.DOMAIN.COM

     

    InTrust Major alert - There were 5 failed logons by user DOMAIN\MSTS-LEV4 from workstation MSTS-LEV4

    Alert was generated on computer msts-lev4.DOMAIN.COM

  • 0 over 3 years ago in reply to benybb

    I made a change in the function in all 5 rules, so please replace them all. If the problem still persists, I will ask you to provide specific events that trigger the alert.

    FixRules.zip