Filter Out computer name in some Rules

benybb over 5 years ago

Hello,

I wish to filter out the computer name in some rules.

The rules makes False alerts with the computer name as user name.

How exactely can i do that ?

Thanks in advance

*********

Rule (I) : Member added to an administrative group

Member DOMAIN\JCT_Level_1_Support added to group Builtin\Administrators by DOMAIN\ELEC-403-111$.

Alert was generated on computer ELEC-403-111.DOMAIN.COM.

***************
Rule (I) : Change Password Attempt on Administrative Account

There was administrative account password change attempt by DOMAIN\LAU106-54-90$ user. Target account: LAU106-54-90\admin.

Alert was generated on computer LAU106-54-90.DOMAIN.COM.

****************
Rule (A) : User Account enabled by unauthorized personnel

Account T-LEC-9205\Ladmin enabled by DOMAIN\T-LEC-9205$.

Alert was generated on computer t-lec-9205.DOMAIN.COM

****************
Rule (A) : Multiple failed logons by the same user

There were 5 failed logons by user ADMIN\SAFECOM-LEV-ADM$ from workstation SAFECOM-LEV-ADM.

Alert was generated on computer p-baruch.DOMAIN.COM.

0 JohnnyQuest over 5 years ago

I always handle this by filtering out events where the username ends in '$'.
- 0 benybb over 5 years ago in reply to JohnnyQuest
  
  How can i do that ?

0 Igor.Ilyin over 5 years ago

Hi Ben,

Here the first rule goes, "Member added to an administrative group with account filtering".

The old functionality about XP computers removed,
Two new parameters added, "Consider Operator Computer Accounts" and "Consider Member Computer Accounts", these display names can be easily changed in Advanced rule editor,
The alert name changed, now the email subject contains all the details,
The email body changed, now it contains the link to the IT Security Search.

To install the rule, right click on any rule folder, click "Import" and select the xml file.

0 Igor.Ilyin over 5 years ago in reply to Igor.Ilyin

The previous version of the rule was not good enough, sometimes member account name equals to "-" in the events.

Please use instead this one:

8345.Member added to administrative group with account filtering.xml

Fullscreen

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

<?xml version="1.0" encoding="utf-8" ?>

<!--
==============================================================================

Copyright 2020 Quest Software Inc. ALL RIGHTS RESERVED.

$Workfile: Member added to administrative group with account filtering.xml $
$Revision: 0 $
$Modtime: 7/1/2020 3:07:10 AM $

==============================================================================
THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
==============================================================================
-->

<ITRTProcessingRule original_parent="\Configuration\Objects\{F81E88B8-5629-4698-AEB7-38731A4B1520}\RuleGroups\{C54162A9-E4D0-4747-97A1-8B0FFF7E0B85}\Rules">
	<LimitEventsCount>10</LimitEventsCount>
	<SuppressBySeverity>0</SuppressBySeverity>
	<Description><![CDATA[This rule is matched when a member is added to an administrative group. The rule's parameter is Administrative Groups. When specifying the Administrative Groups, include the groups whose membership you want to monitor.
The rule disables the operator account and removes the added member from the group.]]></Description>
	<GenerateAlert>1</GenerateAlert>
	<AlertInitialState>0</AlertInitialState>
	<Name>Member added to administrative group, with account filtering</Name>
	<Guid>{FB3E6004-5C26-4060-B507-CD8913A59256}</Guid>
	<MatchCondition>01000000860800003C00720075006C006500200074007900700065003D002200520045004C0022002000760065007200730069006F006E003D00220031002E00300022003E000D000A003C0061007200670075006D0065006E00740073003E000D000A0020002000200020003C0061007200670075006D0065006E007400200064006900730070006C00610079006E0061006D0065003D002200470072006F007500700020004C00690073007400220020006E0061006D0065003D002200470072006F007500700020004C006900730074002200200063006C006100730073003D0022004C00690073007400220020006400650073006300720069007000740069006F006E003D002200410020006C0069007300740020006F0066002000610064006D0069006E006900730074007200610074006900760065002000670072006F00750070007300200069006E00200061006E0020006F007200670061006E0069007A006100740069006F006E0022003E000D000A00200020002000200020002000200020003C00760061006C00750065003E002200410064006D0069006E006900730074007200610074006F007200730022002C002000220044006F006D00610069006E002000410064006D0069006E00730022002C002000220045006E00740065007200700072006900730065002000410064006D0069006E00730022002C002000220053006300680065006D0061002000410064006D0069006E00730022002C00200022004100630063006F0075006E00740020004F00700065007200610074006F007200730022002C00200022004200610063006B007500700020004F00700065007200610074006F007200730022002C002000220053006500720076006500720020004F00700065007200610074006F007200730022003C002F00760061006C00750065003E000D000A0020002000200020003C002F0061007200670075006D0065006E0074003E000D000A0020002000200020003C0061007200670075006D0065006E007400200064006900730070006C00610079006E0061006D0065003D00220043006F006E007300690064006500720020004F00700065007200610074006F007200200043006F006D007000750074006500720020004100630063006F0075006E0074007300220020006E0061006D0065003D0022004F00700065007200610074006F00720043006F006D00700075007400650072004100630063006F0075006E0074007300220020006400650073006300720069007000740069006F006E003D002200300020002D0020006500780063006C0075006400650020006F00700065007200610074006F007200200063006F006D007000750074006500720020006100630063006F0075006E00740073002000660072006F006D00200063006F006E00730069006400650072006100740069006F006E002C002000310020002D00200063006F006E007300690064006500720020006F00700065007200610074006F007200200063006F006D007000750074006500720020006100630063006F0075006E00740073002E002200200063006C006100730073003D0022004E0075006D0062006500720022003E000D000A00200020002000200020002000200020003C00760061006C00750065003E0030003C002F00760061006C00750065003E000D000A0020002000200020003C002F0061007200670075006D0065006E0074003E000D000A0020002000200020003C0061007200670075006D0065006E007400200064006900730070006C00610079006E0061006D0065003D00220043006F006E007300690064006500720020004D0065006D00620065007200200043006F006D007000750074006500720020004100630063006F0075006E0074007300220020006E0061006D0065003D0022004D0065006D0062006500720043006F006D00700075007400650072004100630063006F0075006E0074007300220020006400650073006300720069007000740069006F006E003D002200300020002D0020006500780063006C0075006400650020006D0065006D00620065007200200063006F006D007000750074006500720020006100630063006F0075006E00740073002000660072006F006D00200063006F006E00730069006400650072006100740069006F006E002C002000310020002D00200063006F006E007300690064006500720020006D0065006D00620065007200200063006F006D007000750074006500720020006100630063006F0075006E00740073002E002200200063006C006100730073003D0022004E0075006D0062006500720022003E000D000A00200020002000200020002000200020003C00760061006C00750065003E0030003C002F00760061006C00750065003E000D000A0020002000200020003C002F0061007200670075006D0065006E0074003E000D000A003C002F0061007200670075006D0065006E00740073003E000D000A003C00700072006500660069006C007400650072003E000D000A000D000A004500760065006E0074004900440020003D002000340037003200380020006F00720020004500760065006E0074004900440020003D002000340037003300320020006F00720020004500760065006E0074004900440020003D00200034003700350036003B000D000A000D000A003C002F00700072006500660069006C007400650072003E000D000A003C0062006F00640079003E000D000A000D000A0064006500660020007300650074004D0065006D004100630063006F0075006E00740028007300740072004E00290020003A003D000D000A007B000D000A0020002000200020007300650074005F0061006C006500720074005F006600690065006C006400280022004D0065006D004100630063006F0075006E00740022002C0020007300740072004E002C002000740072007500650029000D000A007D000D000A000D000A006400650066002000760061006C006900640061007400650043006F006D00700075007400650072004100630063006F0075006E007400280070006100720061006D002C0020007300740072004E00290020003A003D000D000A007B000D000A0020002000200020006E006F007400280070006100720061006D0020003D0020003000200061006E0064002000730075006200730074007200280020007300740072004E002C0020007300740072006C0065006E0028007300740072004E00290020002D00200031002C00200031002000290020003D00200022002400220029000D000A007D000D000A000D000A006400650066002000660069006E00640044006F006D00610069006E004E0061006D00650053006C00610073006800530061006D004100630063006F0075006E0074004E0061006D00650028007300740072004E002C007300740072004E004E00290020003A003D000D000A007B000D000A002000200020002000630068006F006F00730065002800280073007400720073007400720028007300740072004E002C0022005C005C0022002900200021003D0020002D00310029002C000D000A0020002000200020002000200020002000200020002000760061006C006900640061007400650043006F006D00700075007400650072004100630063006F0075006E00740028003C0070006100720061006D00650074006500720020006E0061006D0065003D0022004D0065006D0062006500720043006F006D00700075007400650072004100630063006F0075006E007400730022003E003C002F0070006100720061006D0065007400650072003E002C0020007300740072004E002900200061006E00640020007300650074004D0065006D004100630063006F0075006E00740028007300740072004E0029002C000D000A0020002000200020002000200020002000200020002000280073007400720073007400720028007300740072004E004E002C0022005C005C0022002900200021003D0020002D0031002900200061006E0064002000760061006C006900640061007400650043006F006D00700075007400650072004100630063006F0075006E00740028003C0070006100720061006D00650074006500720020006E0061006D0065003D0022004D0065006D0062006500720043006F006D00700075007400650072004100630063006F0075006E007400730022003E003C002F0070006100720061006D0065007400650072003E002C0020007300740072004E004E002900200061006E00640020007300650074004D0065006D004100630063006F0075006E00740028007300740072004E004E0029000D000A00200020002000200020002000200020002000200029000D000A007D000D000A000D000A0028004500760065006E0074004900440020003D002000340037003200380020006F00720020004500760065006E0074004900440020003D002000340037003300320020006F00720020004500760065006E0074004900440020003D002000340037003500360029000D000A0061006E006400200069006E002800200053007400720069006E00670033002C00200022007700690022002C0020006100720072006100790028003C0070006100720061006D00650074006500720020006E0061006D0065003D002200470072006F007500700020004C0069007300740022002F003E002900200029000D000A0061006E0064002000760061006C006900640061007400650043006F006D00700075007400650072004100630063006F0075006E00740028003C0070006100720061006D00650074006500720020006E0061006D0065003D0022004F00700065007200610074006F00720043006F006D00700075007400650072004100630063006F0075006E007400730022003E003C002F0070006100720061006D0065007400650072003E002C00200053007400720069006E006700370029000D000A0061006E0064002000760061006C006900640061007400650043006F006D00700075007400650072004100630063006F0075006E00740028003C0070006100720061006D00650074006500720020006E0061006D0065003D0022004D0065006D0062006500720043006F006D00700075007400650072004100630063006F0075006E007400730022003E003C002F0070006100720061006D0065007400650072003E002C00200053007400720069006E006700310029000D000A0061006E0064002000660069006E00640044006F006D00610069006E004E0061006D00650053006C00610073006800530061006D004100630063006F0075006E0074004E0061006D006500280053007400720069006E006700310032002C0053007400720069006E0067003100330029000D000A0061006E00640020007300650074005F0061006C006500720074005F006600690065006C006400280022004F00700065007200610074006F0072004E0061006D00650022002C00200053007400720069006E00670037002C002000740072007500650029000D000A0061006E00640020007300650074005F0061006C006500720074005F006600690065006C006400280022004F00700065007200610074006F00720044006F006D00610069006E0022002C00200053007400720069006E00670038002C002000740072007500650029000D000A0061006E00640020007300650074005F0061006C006500720074005F006600690065006C006400280022005400610072006700650074004E0061006D00650022002C00200053007400720069006E00670033002C002000740072007500650029000D000A0061006E00640020007300650074005F0061006C006500720074005F006600690065006C0064002800220054006100720067006500740044006F006D00610069006E0022002C00200053007400720069006E00670034002C002000740072007500650029003B000D000A000D000A003C002F0062006F00640079003E000D000A003C002F00720075006C0065003E000D000A00</MatchCondition>
	<AlertSeverity>32</AlertSeverity>
	<Enabled>1</Enabled>
	<SuppressByAlertCode>0</SuppressByAlertCode>
	<Schedule>00000000000000000000000000000000000000000000000000000000</Schedule>
	<VendorKnowledgeBase>01000000B70000004100640064006900740069006F006E0020006F0066002000610020006D0065006D00620065007200200074006F00200061006E002000610064006D0069006E006900730074007200610074006900760065002000670072006F0075007000200072006500730075006C0074007300200069006E00200065007800740065006E0073006900760065002000700072006900760069006C006500670065007300200066006F0072002000740068006900730020006D0065006D006200650072002E00200049006E00200073007500630068002000630061007300650073002C00200074006800650020006D006F007400690076006100740069006F006E00200066006F007200200065006C00650076006100740069006E006700200074006800650020006100660066006500630074006500640020007500730065007200730027002000700072006900760069006C006500670065007300200069007300200075006E006B006E006F0077006E002E00</VendorKnowledgeBase>
	<ConditionType>{E00EE0F1-B3DF-4122-89B4-738EF5EC1C52}</ConditionType>
	<SuppressByName>0</SuppressByName>
	<AlertSuppression>0</AlertSuppression>
	<CustomerKnowledgeBase>0100000000000000</CustomerKnowledgeBase>
	<Distribution></Distribution>
	<AlertName>Member %Member Account% added to group %Target Group Domain%\%Target Group Name% by %Operator Account Domain%\%Operator Account Name%.</AlertName>
	<SuppressByRuleID>0</SuppressByRuleID>
	<DoNotSaveEvents>0</DoNotSaveEvents>
	<SuppressByHostName>0</SuppressByHostName>
	<Condition></Condition>
	<AlertComment></AlertComment>
	<FilterCondition>0100000000000000</FilterCondition>
	<AlertDescription></AlertDescription>
	<ScheduleEnabled>0</ScheduleEnabled>
	<SuppressBySiteID>0</SuppressBySiteID>
	<AlertAssignment></AlertAssignment>
	<RuleDistribution>0</RuleDistribution>
	<AlertCode>AE_AD_SEC_0028 (2)</AlertCode>
	
	<NotificationFormats>
		<ITRTNotificationFormat>
			<Guid>{41BA4430-8158-439F-84CA-C3C3DF91F5D2}</Guid>
			<ComposerTemplate>01000000F834885B1C14B949960CC37CE508B1D02100000049006E005400720075007300740020002500530065007600650072006900740079002500200061006C0065007200740020002D00200025004E0061006D0065002500050000007500740066002D003800ED01000025004400650073006300720069007000740069006F006E0025000D000A000A000A0041006C0065007200740020007700610073002000670065006E0065007200610074006500640020006F006E00200063006F006D00700075007400650072002000250041006C006500720074002E0048006F00730074004E0061006D00650025002E000A0041006C0065007200740020007700610073002000670065006E006500720061007400650064002000610074002000250041006C006500720074002E00540069006D006500470065006E006500720061007400650064004C006F00630061006C00250020002800250041006C006500720074002E00540069006D006500470065006E006500720061007400650064002500200047004D00540029002E000D000A000A000A0046006F007200200061006C00650072007400200069006E0066006F0072006D006100740069006F006E002C00200066006F006C006C006F007700200074006800650020006C0069006E006B00200074006F0020004D006F006E00690074006F00720069006E006700200043006F006E0073006F006C0065003A00200025006F007200670070006100720061006D003A005700450042004D004F004E00490054004F005200550052004C002500250061006C006500720074002E0061006C006500720074006900640025000D000A000A0046006F00720020006500760065006E007400200061006E0061006C0079007300690073002C00200066006F006C006C006F007700200074006800650020006C0069006E006B00200074006F0020004900540020005300650063007500720069007400790020005300650061007200630068003A002000220025006F007200670070006100720061006D003A0049005400530065006100720063006800410064006400720065007300730025002F0023002F007300650061007200630068002F006500760065006E00740073003F0071003D004500760065006E00740049004400250025003300440025004500760065006E007400490044002500250025003200300041004E004400250025003200300049006E00730065007200740069006F006E0053007400720069006E006700330025002500330044002500250032003200250053007400720069006E006700330025002500250032003200250025003200300041004E0044002500250032003000570068006F00250025003300440025002500320032002500570068006F0025002500250032003200250025003200300041004E00440025002500320030005700680065007200650025002500330044002500250032003200250057006800650072006500250025002500320032002200</ComposerTemplate>
			<ComposerId>{C40DBB2E-DF56-43AC-8392-EFB2D0DDCC5A}</ComposerId>
			<Enabled>1</Enabled>
			<NotificationType>{E01E93C2-938C-4BBD-88D9-0FD3B0E631E4}</NotificationType>
			
		</ITRTNotificationFormat>
		<ITRTNotificationFormat>
			<Guid>{3ACB93F9-3633-4726-9732-F3EB5A1DF7E0}</Guid>
			<ComposerTemplate>01000000F834885B1C14B949960CC37CE508B1D02200000049006E005400720075007300740020002500530065007600650072006900740079002500200061006C0065007200740020002D00200025004E0061006D00650025002E00050000007500740066002D003800DB00000025004400650073006300720069007000740069006F006E0025000A000A0041006C0065007200740020007700610073002000670065006E0065007200610074006500640020006F006E00200063006F006D00700075007400650072002000250048006F00730074004E0061006D00650025002E000A0041006C0065007200740020007700610073002000670065006E006500720061007400650064002000610074002000250041006C006500720074002E00540069006D006500470065006E006500720061007400650064004C006F00630061006C00250020002800250041006C006500720074002E00540069006D006500470065006E006500720061007400650064002500200047004D00540029002E000A000A0046006F00720020006D006F0072006500200069006E0066006F0072006D006100740069006F006E002C00200066006F006C006C006F0077002000740068006900730020006C0069006E006B003A00200025006F007200670070006100720061006D003A005700450042004D004F004E00490054004F005200550052004C002500250061006C006500720074002E0061006C006500720074006900640025002E00</ComposerTemplate>
			<ComposerId>{C40DBB2E-DF56-43AC-8392-EFB2D0DDCC5A}</ComposerId>
			<Enabled>0</Enabled>
			<NotificationType>{ECEB8D7E-04D9-49F6-8B38-EB90C97AC523}</NotificationType>
			
		</ITRTNotificationFormat>
	</NotificationFormats>
	<DataSources>
		<ITRTRuleDataSource>
			<Guid>{E2E12BEA-3753-402B-A995-35516AF229F9}</Guid>
			<DataSourceId>{A8CFC803-CDAD-47C5-B195-4C043A4F4BC7}</DataSourceId>
			
		</ITRTRuleDataSource>
	</DataSources>
	<ResponseActions>
		<ITRTResponseAction>
			<ProviderConfig>01000000260000007B00360042003600310030004600330034002D0032003700310044002D0034003400340046002D0039003600450033002D004500330030004300430041003900340045003800300036007D0002000000260000007B00340031004400420030004500390034002D0031004400310032002D0034004400360030002D0039004600440031002D003800350031004200370036003500440036004100440035007D001700000025004F00700065007200610074006F00720020004100630063006F0075006E00740020004E0061006D0065002500260000007B00460045004600380046004200410038002D0041004200330044002D0034003900430039002D0038003200360031002D003300430042003700440045003500410041003400380033007D001900000025004F00700065007200610074006F00720020004100630063006F0075006E007400200044006F006D00610069006E002500</ProviderConfig>
			<Guid>{1C152F0B-0AB4-4CB9-AE03-4AF867BD7AF3}</Guid>
			<Timeout>0</Timeout>
			<Distribution></Distribution>
			<Enabled>0</Enabled>
			<ProviderId>{E5D8E6C5-488A-42BF-B636-065E970F0067}</ProviderId>
			<ExecutionOrder>0</ExecutionOrder>
			<Destination>0</Destination>
			
		</ITRTResponseAction>
		<ITRTResponseAction>
			<ProviderConfig>01000000260000007B00310044004100370045004100310039002D0036003700410039002D0034004300340045002D0041003800350030002D003200380043004600390044004500360031003600450039007D0004000000260000007B00310044003500380038004100310046002D0031003200310035002D0034003800350031002D0042003200360036002D004600330035003200330032003000360045003000310043007D000A000000250043006F006D00700075007400650072002500260000007B00360046004400410044003200390044002D0046003300310044002D0034004100330031002D0042003800320035002D004400430046004300380041003500310037003900310031007D0010000000250043006F006D007000750074006500720044006F006D00610069006E002500260000007B00410033003200380046004300310030002D0041003500330038002D0034003000410032002D0039003800380031002D004300350032003500420033003500370038004200410033007D002900000025005400610072006700650074002000470072006F0075007000200044006F006D00610069006E0025005C0025005400610072006700650074002000470072006F007500700020004E0061006D0065002500260000007B00430038004600310045003900390037002D0030003000420042002D0034004300380035002D0041004100310035002D004500350037003600460036003200430044004200300041007D001000000025004D0065006D0062006500720020004100630063006F0075006E0074002500</ProviderConfig>
			<Guid>{9B183A3A-D697-439A-B863-730B7A8058DB}</Guid>
			<Timeout>0</Timeout>
			<Distribution></Distribution>
			<Enabled>0</Enabled>
			<ProviderId>{E5D8E6C5-488A-42BF-B636-065E970F0067}</ProviderId>
			<ExecutionOrder>1</ExecutionOrder>
			<Destination>0</Destination>
			
		</ITRTResponseAction>
		<ITRTResponseAction>
			<ProviderConfig>010000000F0000003200350035002E003200350035002E003200350035002E00320035003500060000007000750062006C006900630001000000360003000000310030003000100000000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000001000000060F000000250061006C006500720074002E0041006C006500720074004900640025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000A000000060E000000250061006C006500720074002E00520075006C0065004900440025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000B0000000610000000250061006C006500720074002E00520075006C0065004E0061006D00650025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000C0000000610000000250061006C006500720074002E0048006F00730074004E0061006D00650025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000D0000000612000000250061006C006500720074002E005300650072007600650072004E0061006D00650025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000E0000000613000000250061006C006500720074002E00470065006E006500720061007400650064004F006E0025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000F0000000611000000250061006C006500720074002E0041006C0065007200740043006F006400650025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000020000000615000000250061006C006500720074002E00540069006D006500470065006E0065007200610074006500640025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000003000000061A000000250061006C006500720074002E00540069006D006500470065006E006500720061007400650064004C006F00630061006C0025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000004000000060D000000250061006C006500720074002E005300740061007400650025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000005000000060C000000250061006C006500720074002E004E0061006D00650025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000060000000613000000250061006C006500720074002E004400650073006300720069007000740069006F006E0025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000070000000610000000250061006C006500720074002E005300650076006500720069007400790025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000008000000060F000000250061006C006500720074002E0043006F006D006D0065006E00740025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000090000000612000000250061006C006500720074002E00410073007300690067006E006500640054006F0025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000010000000062700000025006F007200670070006100720061006D003A005700450042004D004F004E00490054004F005200550052004C002500250061006C006500720074002E0061006C00650072007400690064002500</ProviderConfig>
			<Guid>{98A68F27-D1BC-4D30-87B0-B6204005264B}</Guid>
			<Timeout>0</Timeout>
			<Distribution></Distribution>
			<Enabled>0</Enabled>
			<ProviderId>{C3DFC923-4037-4C1B-A652-77767EBAF710}</ProviderId>
			<ExecutionOrder>2</ExecutionOrder>
			<Destination>0</Destination>
			
		</ITRTResponseAction>
	</ResponseActions>
	<AlertFields>
		<ITRTAlertField>
			<Suppression>0</Suppression>
			<Guid>{05AB5691-6EB3-4BF2-B4F0-0A99ACBD223A}</Guid>
			<FieldValue>%MemAccount%</FieldValue>
			<FieldName>Member Account</FieldName>
			
		</ITRTAlertField>
		<ITRTAlertField>
			<Suppression>0</Suppression>
			<Guid>{200CBEE9-4D91-466F-84EC-42BC84F87591}</Guid>
			<FieldValue>%TargetName%</FieldValue>
			<FieldName>Target Group Name</FieldName>
			
		</ITRTAlertField>
		<ITRTAlertField>
			<Suppression>0</Suppression>
			<Guid>{F124999B-FAE9-4603-9DE3-67DD1D1E07EB}</Guid>
			<FieldValue>%OperatorName%</FieldValue>
			<FieldName>Operator Account Name</FieldName>
			
		</ITRTAlertField>
		<ITRTAlertField>
			<Suppression>0</Suppression>
			<Guid>{834F808A-C392-40C4-83F4-A757E98F8A72}</Guid>
			<FieldValue>%OperatorDomain%</FieldValue>
			<FieldName>Operator Account Domain</FieldName>
			
		</ITRTAlertField>
		<ITRTAlertField>
			<Suppression>0</Suppression>
			<Guid>{8DEDEF63-4B24-4AC2-81C1-CB29C2930B2E}</Guid>
			<FieldValue>%TargetDomain%</FieldValue>
			<FieldName>Target Group Domain</FieldName>
			
		</ITRTAlertField>
	</AlertFields>
</ITRTProcessingRule>

0 benybb over 5 years ago in reply to Igor.Ilyin

Thanks ! I will repalce it -.

Finally i started to get alerts for 4771 event id but he is also sending me alerts with "comp name$" as user

InTrust Major alert - Multiple pre-authentication failures.

There were 5 pre-authentication failures by MSTS-LEV2$ user (IP: ::ffff:10.1.37.132) attempting to gain access to the krbtgt/DOMAIN.COM service.

Thanks in advance

0 Igor.Ilyin over 5 years ago in reply to benybb

And this one, "Multiple pre-authentication failures, with computer account filtering".

I've changed the logic a bit. The original rule triggers on the batch of 4771 events from any users. The following one considers the user name.

Multiple pre-authentication failures with computer account filtering.xml

Fullscreen

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

<?xml version="1.0" encoding="utf-8" ?>

<!--
==============================================================================

Copyright 2020 Quest Software Inc. ALL RIGHTS RESERVED.

$Workfile: Multiple pre-authentication failures with computer account filtering.xml $
$Revision: 0 $
$Modtime: 7/3/2020 9:38:58 AM $

==============================================================================
THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
==============================================================================
-->

<ITRTProcessingRule original_parent="\Configuration\Objects\{F81E88B8-5629-4698-AEB7-38731A4B1520}\RuleGroups\{C54162A9-E4D0-4747-97A1-8B0FFF7E0B85}\Rules">
	<LimitEventsCount>10</LimitEventsCount>
	<SuppressBySeverity>0</SuppressBySeverity>
	<Description><![CDATA[This rule is matched when there are more than the specified number of pre-authentication failures within the specified period of time.
The rule's parameters are Threshold and Period. When specifying the Threshold, supply the number of pre-authentication failures. The rule will be matched when the threshold is exceeded. When specifying the Period, supply the time length within which the failures must occur.
The rule has no response actions.]]></Description>
	<GenerateAlert>1</GenerateAlert>
	<AlertInitialState>0</AlertInitialState>
	<Name>Multiple pre-authentication failures, with computer account filtering</Name>
	<Guid>{2F92CE1F-8452-40DF-BCCB-71D01CF951A8}</Guid>
	<MatchCondition>010000005A0500003C003F0078006D006C002000760065007200730069006F006E003D00220031002E00300022003F003E000D000A003C00720075006C006500200074007900700065003D002200520045004C0022002000760065007200730069006F006E003D00220031002E00300022003E000D000A003C0061007200670075006D0065006E00740073003E000D000A0020002000200020003C0061007200670075006D0065006E007400200064006900730070006C00610079006E0061006D0065003D002200540069006D006500200070006500720069006F006400220020006E0061006D0065003D002200540069006D006500200070006500720069006F006400220020006400650073006300720069007000740069006F006E003D002200540069006D006500200070006500720069006F006400200069006E00200077006800690063006800200074006800650020006500760065006E007400730020006F0063006300750072007200650064002E002200200063006C006100730073003D0022004400610074006500540069006D006500520061006E006700650022003E000D000A00200020002000200020002000200020003C00760061006C00750065003E002200300030003A00300031003A003000300022003C002F00760061006C00750065003E000D000A0020002000200020003C002F0061007200670075006D0065006E0074003E000D000A0020002000200020003C0061007200670075006D0065006E007400200064006900730070006C00610079006E0061006D0065003D0022005400680072006500730068006F006C006400220020006E0061006D0065003D0022005400680072006500730068006F006C006400220020006400650073006300720069007000740069006F006E003D0022004500760065006E007400730020007400680072006500730068006F006C0064002E002200200063006C006100730073003D0022004E0075006D0062006500720022003E000D000A00200020002000200020002000200020003C00760061006C00750065003E0035003C002F00760061006C00750065003E000D000A0020002000200020003C002F0061007200670075006D0065006E0074003E000D000A0020002000200020003C0061007200670075006D0065006E007400200064006900730070006C00610079006E0061006D0065003D00220043006F006E007300690064006500720020004F00700065007200610074006F007200200043006F006D007000750074006500720020004100630063006F0075006E0074007300220020006E0061006D0065003D0022004F00700065007200610074006F00720043006F006D00700075007400650072004100630063006F0075006E0074007300220020006400650073006300720069007000740069006F006E003D002200300020002D0020006500780063006C0075006400650020006F00700065007200610074006F007200200063006F006D007000750074006500720020006100630063006F0075006E00740073002000660072006F006D00200063006F006E00730069006400650072006100740069006F006E002C002000310020002D00200063006F006E007300690064006500720020006F00700065007200610074006F007200200063006F006D007000750074006500720020006100630063006F0075006E00740073002E002200200063006C006100730073003D0022004E0075006D0062006500720022003E000D000A00200020002000200020002000200020003C00760061006C00750065003E0030003C002F00760061006C00750065003E000D000A0020002000200020003C002F0061007200670075006D0065006E0074003E000D000A003C002F0061007200670075006D0065006E00740073003E000D000A003C00700072006500660069006C007400650072003E000D000A004500760065006E0074004900440020003D00200034003700370031003B000D000A003C002F00700072006500660069006C007400650072003E000D000A003C0062006F00640079003E000D000A000D000A006400650066002000760061006C006900640061007400650043006F006D00700075007400650072004100630063006F0075006E007400280070006100720061006D002C0020007300740072004E00290020003A003D000D000A007B000D000A0020002000200020006E006F0074002000280070006100720061006D0020003D0020003000200061006E0064002000730075006200730074007200280020007300740072004E002C0020007300740072006C0065006E0028007300740072004E00290020002D00200031002C00200031002000290020003D00200022002400220029000D000A007D000D000A000D000A0063006F0075006E0074002800730065006C006500630074005F00660069006C007400650072006500640028000D000A00200020002000200020002000200020004500760065006E0074004900440020003D0020003400370037003100200061006E0064002000760061006C006900640061007400650043006F006D00700075007400650072004100630063006F0075006E00740028003C0070006100720061006D00650074006500720020006E0061006D0065003D0022004F00700065007200610074006F00720043006F006D00700075007400650072004100630063006F0075006E007400730022003E003C002F0070006100720061006D0065007400650072003E002C00200053007400720069006E006700310029002C000D000A00200020002000200020002000200020005A002E004500760065006E0074004900440020003D0020004500760065006E00740049004400200061006E00640020007300740072006900650071007500280020005A002E0053007400720069006E00670031002C00200053007400720069006E0067003100200029002C000D000A00200020002000200020002000200020003C0070006100720061006D00650074006500720020006E0061006D0065003D002200540069006D006500200070006500720069006F00640022003E003C002F0070006100720061006D0065007400650072003E00200029002000290020000D000A0020002000200020002600670074003B003D0020003C0070006100720061006D00650074006500720020006E0061006D0065003D0022005400680072006500730068006F006C00640022003E003C002F0070006100720061006D0065007400650072003E000D000A0061006E006400200065006D007000740079002800730065006C006500630074005F006D0061007400630068006500730028000D000A0020002000200020007300740072006900650071007500280020005A005B0030005D002E0053007400720069006E00670031002C00200053007400720069006E0067003100200029002C000D000A0020002000200020003C0070006100720061006D00650074006500720020006E0061006D0065003D002200540069006D006500200070006500720069006F00640022003E003C002F0070006100720061006D0065007400650072003E000D000A002000200020002000290029000D000A0061006E00640020007300650074005F0061006C006500720074005F006600690065006C0064002800220055007300650072004900500022002C00200053007400720069006E00670037002C002000740072007500650029003B000D000A000D000A003C002F0062006F00640079003E000D000A003C002F00720075006C0065003E000D000A00</MatchCondition>
	<AlertSeverity>32</AlertSeverity>
	<Enabled>1</Enabled>
	<SuppressByAlertCode>0</SuppressByAlertCode>
	<Schedule>00000000000000000000000000000000000000000000000000000000</Schedule>
	<VendorKnowledgeBase>01000000670000004D0075006C007400690070006C00650020007000720065002D00610075007400680065006E007400690063006100740069006F006E0020006600610069006C0075007200650020006500760065006E007400730020006D0061007900200069006E00640069006300610074006500200069006E0074007200750064006500720020006100630074006900760069007400790020007300750063006800200061007300200061002000620072007500740065002D0066006F007200630065002000610074007400610063006B002E00</VendorKnowledgeBase>
	<ConditionType>{E00EE0F1-B3DF-4122-89B4-738EF5EC1C52}</ConditionType>
	<SuppressByName>0</SuppressByName>
	<AlertSuppression>0</AlertSuppression>
	<CustomerKnowledgeBase>0100000000000000</CustomerKnowledgeBase>
	<Distribution></Distribution>
	<AlertName>There were %match.eventcount% pre-authentication failures by %User Name% user (IP: %Client IP%) attempting to gain access to the %Service% service</AlertName>
	<SuppressByRuleID>0</SuppressByRuleID>
	<DoNotSaveEvents>0</DoNotSaveEvents>
	<SuppressByHostName>0</SuppressByHostName>
	<Condition></Condition>
	<AlertComment></AlertComment>
	<FilterCondition>0100000000000000</FilterCondition>
	<AlertDescription></AlertDescription>
	<ScheduleEnabled>0</ScheduleEnabled>
	<SuppressBySiteID>0</SuppressBySiteID>
	<AlertAssignment></AlertAssignment>
	<RuleDistribution>0</RuleDistribution>
	<AlertCode>AE_AD_ATP_0030 (2)</AlertCode>
	<NotificationFormats>
		<ITRTNotificationFormat>
			<Guid>{EB75BF10-1020-4482-BFD3-42076242CC95}</Guid>
			<ComposerTemplate>01000000F834885B1C14B949960CC37CE508B1D02100000049006E005400720075007300740020002500530065007600650072006900740079002500200061006C0065007200740020002D00200025004E0061006D0065002500050000007500740066002D003800BD01000025004400650073006300720069007000740069006F006E0025000D000A000A000A0041006C0065007200740020007700610073002000670065006E0065007200610074006500640020006F006E00200063006F006D00700075007400650072002000250041006C006500720074002E0048006F00730074004E0061006D00650025002E000A0041006C0065007200740020007700610073002000670065006E006500720061007400650064002000610074002000250041006C006500720074002E00540069006D006500470065006E006500720061007400650064004C006F00630061006C00250020002800250041006C006500720074002E00540069006D006500470065006E006500720061007400650064002500200047004D00540029002E000D000A000A000A0046006F007200200061006C00650072007400200069006E0066006F0072006D006100740069006F006E002C00200066006F006C006C006F007700200074006800650020006C0069006E006B00200074006F0020004D006F006E00690074006F00720069006E006700200043006F006E0073006F006C0065003A00200025006F007200670070006100720061006D003A005700450042004D004F004E00490054004F005200550052004C002500250061006C006500720074002E0061006C006500720074006900640025000D000A000A0046006F00720020006500760065006E007400200061006E0061006C0079007300690073002C00200066006F006C006C006F007700200074006800650020006C0069006E006B00200074006F0020004900540020005300650063007500720069007400790020005300650061007200630068003A002000220025006F007200670070006100720061006D003A0049005400530065006100720063006800410064006400720065007300730025002F0023002F007300650061007200630068002F006500760065006E00740073003F0071003D004500760065006E00740049004400250025003300440025004500760065006E007400490044002500250025003200300041004E0044002500250032003000570068006F00250025003300440025002500320032002500570068006F0025002500250032003200250025003200300041004E00440025002500320030005700680065007200650025002500330044002500250032003200250057006800650072006500250025002500320032002200</ComposerTemplate>
			<ComposerId>{C40DBB2E-DF56-43AC-8392-EFB2D0DDCC5A}</ComposerId>
			<Enabled>1</Enabled>
			<NotificationType>{E01E93C2-938C-4BBD-88D9-0FD3B0E631E4}</NotificationType>
		</ITRTNotificationFormat>
	</NotificationFormats>
	<DataSources>
		<ITRTRuleDataSource>
			<Guid>{E53A37B2-DF61-4E14-8A0F-34000398625D}</Guid>
			<DataSourceId>{A8CFC803-CDAD-47C5-B195-4C043A4F4BC7}</DataSourceId>
		</ITRTRuleDataSource>
	</DataSources>
	<ResponseActions>
		<ITRTResponseAction>
			<ProviderConfig>010000000F0000003200350035002E003200350035002E003200350035002E00320035003500060000007000750062006C006900630001000000360003000000310030003000100000000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000001000000060F000000250061006C006500720074002E0041006C006500720074004900640025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000A000000060E000000250061006C006500720074002E00520075006C0065004900440025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000B0000000610000000250061006C006500720074002E00520075006C0065004E0061006D00650025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000C0000000610000000250061006C006500720074002E0048006F00730074004E0061006D00650025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000D0000000612000000250061006C006500720074002E005300650072007600650072004E0061006D00650025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000E0000000613000000250061006C006500720074002E00470065006E006500720061007400650064004F006E0025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000F0000000611000000250061006C006500720074002E0041006C0065007200740043006F006400650025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000020000000615000000250061006C006500720074002E00540069006D006500470065006E0065007200610074006500640025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000003000000061A000000250061006C006500720074002E00540069006D006500470065006E006500720061007400650064004C006F00630061006C0025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000004000000060D000000250061006C006500720074002E005300740061007400650025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000005000000060C000000250061006C006500720074002E004E0061006D00650025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000060000000613000000250061006C006500720074002E004400650073006300720069007000740069006F006E0025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000070000000610000000250061006C006500720074002E005300650076006500720069007400790025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000008000000060F000000250061006C006500720074002E0043006F006D006D0065006E00740025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000090000000612000000250061006C006500720074002E00410073007300690067006E006500640054006F0025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000010000000062700000025006F007200670070006100720061006D003A005700450042004D004F004E00490054004F005200550052004C002500250061006C006500720074002E0061006C00650072007400690064002500</ProviderConfig>
			<Guid>{C960F3B4-35D5-422A-99F5-F5870112BF7A}</Guid>
			<Timeout>0</Timeout>
			<Distribution></Distribution>
			<Enabled>0</Enabled>
			<ProviderId>{C3DFC923-4037-4C1B-A652-77767EBAF710}</ProviderId>
			<ExecutionOrder>0</ExecutionOrder>
			<Destination>0</Destination>
		</ITRTResponseAction>
	</ResponseActions>
	<AlertFields>
		<ITRTAlertField>
			<Suppression>0</Suppression>
			<Guid>{614E20BD-E2DB-4412-9C3D-AB03D65BB5BF}</Guid>
			<FieldValue>%String1%</FieldValue>
			<FieldName>User Name</FieldName>
		</ITRTAlertField>
		<ITRTAlertField>
			<Suppression>0</Suppression>
			<Guid>{A767FC57-9C29-4DB9-A086-46BB90DEBE3E}</Guid>
			<FieldValue>%UserIP%</FieldValue>
			<FieldName>Client IP</FieldName>
		</ITRTAlertField>
		<ITRTAlertField>
			<Suppression>0</Suppression>
			<Guid>{BC9F1A37-3AD4-4A63-A77F-6389B00E5129}</Guid>
			<FieldValue>%String3%</FieldValue>
			<FieldName>Service</FieldName>
		</ITRTAlertField>
	</AlertFields>
</ITRTProcessingRule>

0 benybb over 5 years ago in reply to Igor.Ilyin

Regarding "Multiple pre-authentication failures, with computer account filtering"

Thank you for that !

Is there a way to know: "On Which RDP TERMINAL SERVER" the user tried and failed to login ??

Like in this real example, I cannot see which terminal server the user "bebaruch" tried to connect to and failed :

I received on each alert (after 10 failed tries) 2 emails :

First :

InTrust Major alert - There were 5 pre-authentication failures by bebaruch user (IP: ::ffff:10.1.6.19) attempting to gain access to the krbtgt/domain service

Alert was generated on computer dc-lev5.DOMAIN.COM

(10.1.6.19 is a dc server named dc-lev1)

Second :

InTrust Major alert - There were 5 pre-authentication failures by bebaruch user (IP: ::ffff:10.1.5.39) attempting to gain access to the krbtgt/domain service

Alert was generated on computer dc-lev1.domain.com.

(10.1.5.39 is the physical computer that the user tried to RDP FROM(origin) but not the terminal server where the login actually failed )

Thanks In Advance
0 Igor.Ilyin over 5 years ago in reply to benybb

To my understanding no, these 4771 events do not contain such info as terminal server IP or name.

0 Igor.Ilyin over 5 years ago

The second one, "Change password attempt on administrative account with computer account filtering"

Change password attempt on administrative account with computer account filtering.xml

Fullscreen

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

<?xml version="1.0" encoding="utf-8" ?>

<!--
==============================================================================

Copyright 2020 Quest Software Inc. ALL RIGHTS RESERVED.

$Workfile: Change password attempt on administrative account with computer account filtering.xml $
$Revision: 0 $
$Modtime: 7/1/2020 9:02:47 AM $

==============================================================================
THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
==============================================================================
-->

<ITRTProcessingRule original_parent="\Configuration\Objects\{F81E88B8-5629-4698-AEB7-38731A4B1520}\RuleGroups\{C54162A9-E4D0-4747-97A1-8B0FFF7E0B85}\Rules">
	<LimitEventsCount>10</LimitEventsCount>
	<SuppressBySeverity>0</SuppressBySeverity>
	<Description><![CDATA[This rule is matched when there is a successful or unsuccessful attempt to change the password of an administrative account.
The rule's parameters are the list of users (Accounts List) and the list of groups the users are member of (Groups List). When specifying parameters, include groups with whose members password changes you want to monitor.
The rule has no response actions.]]></Description>
	<GenerateAlert>1</GenerateAlert>
	<AlertInitialState>0</AlertInitialState>
	<Name>Change password attempt on administrative account, with computer account filtering</Name>
	<Guid>{F026F480-6DF5-45A4-BE42-FF67098476AB}</Guid>
	<MatchCondition>010000005D0B00003C003F0078006D006C002000760065007200730069006F006E003D00220031002E00300022003F003E000D000A003C00720075006C006500200074007900700065003D002200520045004C0022002000760065007200730069006F006E003D00220031002E00300022003E000D000A003C0061007200670075006D0065006E00740073003E000D000A0020002000200020003C0061007200670075006D0065006E007400200064006900730070006C00610079006E0061006D0065003D0022004100630063006F0075006E007400730020004C00690073007400220020006E0061006D0065003D0022004100630063006F0075006E007400730020004C006900730074002200200063006C006100730073003D0022004C00690073007400220020006400650073006300720069007000740069006F006E003D002200410020006C0069007300740020006F00660020007400610072006700650074002000610064006D0069006E0069007300740072006100740069007600650020006100630063006F0075006E007400730020006E0061006D006500730022003E000D000A00200020002000200020002000200020003C00760061006C00750065003E0022002A005C005C00410064006D0069006E006900730074007200610074006F00720022003C002F00760061006C00750065003E000D000A0020002000200020003C002F0061007200670075006D0065006E0074003E000D000A0020002000200020003C0061007200670075006D0065006E007400200064006900730070006C00610079006E0061006D0065003D002200470072006F0075007000730020004C00690073007400220020006E0061006D0065003D002200470072006F0075007000730020004C006900730074002200200063006C006100730073003D0022004C00690073007400220020006400650073006300720069007000740069006F006E003D002200410020006C0069007300740020006F00660020007400610072006700650074002000670072006F00750070007300200066006F00720020006D0061006E006100670069006E006700200070006F006C0069006300690065007300200069006E00200061006E0020006F007200670061006E0069007A006100740069006F006E0022003E000D000A00200020002000200020002000200020003C00760061006C00750065003E00220044006F006D00610069006E002000410064006D0069006E00730022002C0020002200470072006F0075007000200050006F006C006900630079002000430072006500610074006F00720020004F0077006E006500720022002C0020002200410064006D0069006E006900730074007200610074006F007200730022002C002000220045006E00740065007200700072006900730065002000410064006D0069006E00730022003C002F00760061006C00750065003E000D000A0020002000200020003C002F0061007200670075006D0065006E0074003E000D000A0020002000200020003C0061007200670075006D0065006E007400200064006900730070006C00610079006E0061006D0065003D00220043006F006E007300690064006500720020004F00700065007200610074006F007200200043006F006D007000750074006500720020004100630063006F0075006E0074007300220020006E0061006D0065003D0022004F00700065007200610074006F00720043006F006D00700075007400650072004100630063006F0075006E0074007300220020006400650073006300720069007000740069006F006E003D002200300020002D0020006500780063006C0075006400650020006F00700065007200610074006F007200200063006F006D007000750074006500720020006100630063006F0075006E00740073002000660072006F006D00200063006F006E00730069006400650072006100740069006F006E002C002000310020002D00200063006F006E007300690064006500720020006F00700065007200610074006F007200200063006F006D007000750074006500720020006100630063006F0075006E00740073002E002200200063006C006100730073003D0022004E0075006D0062006500720022003E000D000A00200020002000200020002000200020003C00760061006C00750065003E0030003C002F00760061006C00750065003E000D000A0020002000200020003C002F0061007200670075006D0065006E0074003E000D000A003C002F0061007200670075006D0065006E00740073003E000D000A003C00700072006500660069006C007400650072003E000D000A004500760065006E0074004900440020003D002000340037003200330020006F00720020004500760065006E0074004900440020003D00200034003700320034003B000D000A003C002F00700072006500660069006C007400650072003E000D000A003C0062006F00640079003E000D000A000D000A006400650066002000760061006C006900640061007400650043006F006D00700075007400650072004100630063006F0075006E007400280070006100720061006D002C0020007300740072004E00290020003A003D000D000A007B000D000A0020002000200020006E006F007400280070006100720061006D0020003D0020003000200061006E0064002000730075006200730074007200280020007300740072004E002C0020007300740072006C0065006E0028007300740072004E00290020002D00200031002C00200031002000290020003D00200022002400220029000D000A007D000D000A000D000A006400650066002000760061006C00690064006100740065005200650073006F006C007600650064005400610072006700650074004100630063006F0075006E0074002800290020003A003D000D000A007B000D000A002000200020002000630068006F006F0073006500280028004500760065006E0074004900440020003D002000340037003200330029002C000D000A002000200020002000200020002000200020002000200069006E002800200053007400720069006E006700310031002C00200022007700690022002C0020006100720072006100790028003C0070006100720061006D00650074006500720020006E0061006D0065003D0022004100630063006F0075006E007400730020004C0069007300740022003E003C002F0070006100720061006D0065007400650072003E00290029000D000A00200020002000200020002000200020002000200020006F0072000D000A00200020002000200020002000200020002000200020006D0065006D006200650072005F006F0066002800200053007400720069006E006700310031002C0020006100720072006100790028003C0070006100720061006D00650074006500720020006E0061006D0065003D002200470072006F0075007000730020004C0069007300740022003E003C002F0070006100720061006D0065007400650072003E0029002C0020007400720075006500200029002C000D000A002000200020002000200020002000200020002000200069006E002800200053007400720069006E006700310030002C00200022007700690022002C0020006100720072006100790028003C0070006100720061006D00650074006500720020006E0061006D0065003D0022004100630063006F0075006E007400730020004C0069007300740022003E003C002F0070006100720061006D0065007400650072003E00290029000D000A00200020002000200020002000200020002000200020006F0072000D000A00200020002000200020002000200020002000200020006D0065006D006200650072005F006F0066002800200053007400720069006E006700310030002C0020006100720072006100790028003C0070006100720061006D00650074006500720020006E0061006D0065003D002200470072006F0075007000730020004C0069007300740022003E003C002F0070006100720061006D0065007400650072003E0029002C0020007400720075006500200029000D000A00200020002000200020002000200020002000200029000D000A007D000D000A000D000A006400650066002000760061006C00690064006100740065005200650073006F006C007600650064004F00700065007200610074006F0072004100630063006F0075006E0074002800290020003A003D000D000A007B000D000A002000200020002000630068006F006F0073006500280028004500760065006E0074004900440020003D002000340037003200330029002C000D000A0020002000200020002000200020002000200020002000760061006C006900640061007400650043006F006D00700075007400650072004100630063006F0075006E00740028003C0070006100720061006D00650074006500720020006E0061006D0065003D0022004F00700065007200610074006F00720043006F006D00700075007400650072004100630063006F0075006E007400730022003E003C002F0070006100720061006D0065007400650072003E002C00200053007400720069006E0067003100320029002C000D000A0020002000200020002000200020002000200020002000760061006C006900640061007400650043006F006D00700075007400650072004100630063006F0075006E00740028003C0070006100720061006D00650074006500720020006E0061006D0065003D0022004F00700065007200610074006F00720043006F006D00700075007400650072004100630063006F0075006E007400730022003E003C002F0070006100720061006D0065007400650072003E002C00200053007400720069006E0067003100310029000D000A00200020002000200020002000200020002000200029000D000A007D000D000A000D000A0064006500660020007300650074004F00700065007200610074006F0072004100630063006F0075006E0074004600690065006C00640073002800290020003A003D000D000A007B000D000A0020002000200020007300650074005F0061006C006500720074005F006600690065006C006400280022004F00700065007200610074006F00720044006F006D00610069006E0022002C00200053007400720069006E00670036002C002000740072007500650029000D000A00200020002000200061006E00640020007300650074005F0061006C006500720074005F006600690065006C006400280022004F00700065007200610074006F0072004E0061006D00650022002C00200053007400720069006E00670035002C002000740072007500650029000D000A007D000D000A000D000A0064006500660020007300650074005400610072006700650074004100630063006F0075006E0074004600690065006C00640073002800290020003A003D000D000A007B000D000A002000200020002000630068006F006F00730065002800280053007400720069006E0067003100200021003D0020002200220029002C000D000A00200020002000200020002000200020002000200020007300650074005F0061006C006500720074005F006600690065006C0064002800220054006100720067006500740044006F006D00610069006E0022002C00200053007400720069006E00670032002C002000740072007500650029000D000A002000200020002000200020002000200020002000200061006E00640020007300650074005F0061006C006500720074005F006600690065006C006400280022005400610072006700650074004E0061006D00650022002C00200053007400720069006E00670031002C002000740072007500650029002C000D000A0020002000200020002000200020002000200020002000630068006F006F0073006500280028004500760065006E0074004900440020003D002000340037003200330029002C000D000A0020002000200020002000200020002000200020002000200020002000200020007300650074005F0061006C006500720074005F006600690065006C0064002800220054006100720067006500740044006F006D00610069006E0022002C002000730075006200730074007200280053007400720069006E006700310031002C00200030002C002000730074007200730074007200280053007400720069006E006700310031002C00200022005C005C002200290029002C002000740072007500650029000D000A00200020002000200020002000200020002000200020002000200020002000200061006E00640020007300650074005F0061006C006500720074005F006600690065006C006400280022005400610072006700650074004E0061006D00650022002C002000730075006200730074007200280053007400720069006E006700310031002C002000730074007200730074007200280053007400720069006E006700310031002C00200022005C005C002200290020002B00200031002C0020002D00310029002C002000740072007500650029002C000D000A0020002000200020002000200020002000200020002000200020002000200020007300650074005F0061006C006500720074005F006600690065006C0064002800220054006100720067006500740044006F006D00610069006E0022002C002000730075006200730074007200280053007400720069006E006700310030002C00200030002C002000730074007200730074007200280053007400720069006E006700310030002C00200022005C005C002200290029002C002000740072007500650029000D000A00200020002000200020002000200020002000200020002000200020002000200061006E00640020007300650074005F0061006C006500720074005F006600690065006C006400280022005400610072006700650074004E0061006D00650022002C002000730075006200730074007200280053007400720069006E006700310030002C002000730074007200730074007200280053007400720069006E006700310030002C00200022005C005C002200290020002B00200031002C0020002D00310029002C002000740072007500650029000D000A002000200020002000200020002000200020002000200029000D000A00200020002000200020002000200020002000200029000D000A007D000D000A000D000A0028004500760065006E0074004900440020003D002000340037003200330020006F00720020004500760065006E0074004900440020003D002000340037003200340029000D000A0061006E0064002000760061006C00690064006100740065005200650073006F006C007600650064005400610072006700650074004100630063006F0075006E007400280029000D000A0061006E0064002000760061006C00690064006100740065005200650073006F006C007600650064004F00700065007200610074006F0072004100630063006F0075006E007400280029000D000A0061006E0064002000760061006C006900640061007400650043006F006D00700075007400650072004100630063006F0075006E00740028003C0070006100720061006D00650074006500720020006E0061006D0065003D0022004F00700065007200610074006F00720043006F006D00700075007400650072004100630063006F0075006E007400730022003E003C002F0070006100720061006D0065007400650072003E002C00200053007400720069006E006700350029000D000A0061006E00640020007300650074004F00700065007200610074006F0072004100630063006F0075006E0074004600690065006C0064007300280029000D000A0061006E00640020007300650074005400610072006700650074004100630063006F0075006E0074004600690065006C0064007300280029003B000D000A000D000A003C002F0062006F00640079003E000D000A003C002F00720075006C0065003E000D000A00</MatchCondition>
	<AlertSeverity>48</AlertSeverity>
	<Enabled>1</Enabled>
	<SuppressByAlertCode>0</SuppressByAlertCode>
	<Schedule>FFFFFF00FFFFFF00FFFFFF00FFFFFF00FFFFFF00FFFFFF00FFFFFF00</Schedule>
	<VendorKnowledgeBase>01000000900000004300680061006E00670065007300200074006F0020007400680065002000700061007300730077006F0072006400730020006F0066002000610064006D0069006E0069007300740072006100740069007600650020006100630063006F0075006E00740073002000730068006F0075006C00640020006200650020006D006F006E00690074006F0072006500640020006300610072006500660075006C006C007900200073006F00200079006F0075002000630061006E002000700072006F006D00700074006C007900200072006500610063007400200074006F00200061006E007900200075006E00770061007200720061006E007400650064002000700061007300730077006F007200640020006300680061006E006700650073002E00</VendorKnowledgeBase>
	<ConditionType>{E00EE0F1-B3DF-4122-89B4-738EF5EC1C52}</ConditionType>
	<SuppressByName>0</SuppressByName>
	<AlertSuppression>0</AlertSuppression>
	<CustomerKnowledgeBase>0100000000000000</CustomerKnowledgeBase>
	<Distribution></Distribution>
	<AlertName>There was administrative account %Target Domain%\%Target Name% password change attempt by %Operator Domain%\%Operator Name% user</AlertName>
	<SuppressByRuleID>0</SuppressByRuleID>
	<DoNotSaveEvents>0</DoNotSaveEvents>
	<SuppressByHostName>0</SuppressByHostName>
	<Condition></Condition>
	<AlertComment></AlertComment>
	<FilterCondition>0100000000000000</FilterCondition>
	<AlertDescription></AlertDescription>
	<ScheduleEnabled>0</ScheduleEnabled>
	<SuppressBySiteID>0</SuppressBySiteID>
	<AlertAssignment></AlertAssignment>
	<RuleDistribution>0</RuleDistribution>
	<AlertCode>AE_AD_ATP_0055 (2)</AlertCode>
	<NotificationFormats>
		<ITRTNotificationFormat>
			<Guid>{1F0E5507-19CA-4523-9544-379577240A55}</Guid>
			<ComposerTemplate>01000000F834885B1C14B949960CC37CE508B1D02100000049006E005400720075007300740020002500530065007600650072006900740079002500200061006C0065007200740020002D00200025004E0061006D0065002500050000007500740066002D003800ED01000025004400650073006300720069007000740069006F006E0025000D000A000A000A0041006C0065007200740020007700610073002000670065006E0065007200610074006500640020006F006E00200063006F006D00700075007400650072002000250041006C006500720074002E0048006F00730074004E0061006D00650025002E000A0041006C0065007200740020007700610073002000670065006E006500720061007400650064002000610074002000250041006C006500720074002E00540069006D006500470065006E006500720061007400650064004C006F00630061006C00250020002800250041006C006500720074002E00540069006D006500470065006E006500720061007400650064002500200047004D00540029002E000D000A000A000A0046006F007200200061006C00650072007400200069006E0066006F0072006D006100740069006F006E002C00200066006F006C006C006F007700200074006800650020006C0069006E006B00200074006F0020004D006F006E00690074006F00720069006E006700200043006F006E0073006F006C0065003A00200025006F007200670070006100720061006D003A005700450042004D004F004E00490054004F005200550052004C002500250061006C006500720074002E0061006C006500720074006900640025000D000A000A0046006F00720020006500760065006E007400200061006E0061006C0079007300690073002C00200066006F006C006C006F007700200074006800650020006C0069006E006B00200074006F0020004900540020005300650063007500720069007400790020005300650061007200630068003A002000220025006F007200670070006100720061006D003A0049005400530065006100720063006800410064006400720065007300730025002F0023002F007300650061007200630068002F006500760065006E00740073003F0071003D004500760065006E00740049004400250025003300440025004500760065006E007400490044002500250025003200300041004E004400250025003200300049006E00730065007200740069006F006E0053007400720069006E006700310025002500330044002500250032003200250053007400720069006E006700310025002500250032003200250025003200300041004E0044002500250032003000570068006F00250025003300440025002500320032002500570068006F0025002500250032003200250025003200300041004E00440025002500320030005700680065007200650025002500330044002500250032003200250057006800650072006500250025002500320032002200</ComposerTemplate>
			<ComposerId>{C40DBB2E-DF56-43AC-8392-EFB2D0DDCC5A}</ComposerId>
			<Enabled>1</Enabled>
			<NotificationType>{E01E93C2-938C-4BBD-88D9-0FD3B0E631E4}</NotificationType>
		</ITRTNotificationFormat>
	</NotificationFormats>
	<DataSources>
		<ITRTRuleDataSource>
			<Guid>{F8F6F35D-800C-441E-BA0E-77485E4A66A2}</Guid>
			<DataSourceId>{A8CFC803-CDAD-47C5-B195-4C043A4F4BC7}</DataSourceId>
		</ITRTRuleDataSource>
	</DataSources>
	<ResponseActions>
		<ITRTResponseAction>
			<ProviderConfig>010000000F0000003200350035002E003200350035002E003200350035002E00320035003500060000007000750062006C006900630001000000360003000000310030003000100000000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000001000000060F000000250061006C006500720074002E0041006C006500720074004900640025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000A000000060E000000250061006C006500720074002E00520075006C0065004900440025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000B0000000610000000250061006C006500720074002E00520075006C0065004E0061006D00650025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000C0000000610000000250061006C006500720074002E0048006F00730074004E0061006D00650025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000D0000000612000000250061006C006500720074002E005300650072007600650072004E0061006D00650025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000E0000000613000000250061006C006500720074002E00470065006E006500720061007400650064004F006E0025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000F0000000611000000250061006C006500720074002E0041006C0065007200740043006F006400650025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000020000000615000000250061006C006500720074002E00540069006D006500470065006E0065007200610074006500640025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000003000000061A000000250061006C006500720074002E00540069006D006500470065006E006500720061007400650064004C006F00630061006C0025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000004000000060D000000250061006C006500720074002E005300740061007400650025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000005000000060C000000250061006C006500720074002E004E0061006D00650025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000060000000613000000250061006C006500720074002E004400650073006300720069007000740069006F006E0025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000070000000610000000250061006C006500720074002E005300650076006500720069007400790025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000008000000060F000000250061006C006500720074002E0043006F006D006D0065006E00740025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000090000000612000000250061006C006500720074002E00410073007300690067006E006500640054006F0025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000010000000062700000025006F007200670070006100720061006D003A005700450042004D004F004E00490054004F005200550052004C002500250061006C006500720074002E0061006C00650072007400690064002500</ProviderConfig>
			<Guid>{85711607-36E4-49F1-99A2-BE64696F8223}</Guid>
			<Timeout>0</Timeout>
			<Distribution></Distribution>
			<Enabled>0</Enabled>
			<ProviderId>{C3DFC923-4037-4C1B-A652-77767EBAF710}</ProviderId>
			<ExecutionOrder>0</ExecutionOrder>
			<Destination>0</Destination>
		</ITRTResponseAction>
	</ResponseActions>
	<AlertFields>
		<ITRTAlertField>
			<Suppression>0</Suppression>
			<Guid>{02F9E93F-B840-4EFF-9F28-50AF93DD0059}</Guid>
			<FieldValue>%TargetDomain%</FieldValue>
			<FieldName>Target Domain</FieldName>
		</ITRTAlertField>
		<ITRTAlertField>
			<Suppression>0</Suppression>
			<Guid>{303C6431-1187-418C-A23A-35C866A98B44}</Guid>
			<FieldValue>%OperatorDomain%</FieldValue>
			<FieldName>Operator Domain</FieldName>
		</ITRTAlertField>
		<ITRTAlertField>
			<Suppression>0</Suppression>
			<Guid>{FF48C2E0-2C66-4B00-B708-B600C92908EB}</Guid>
			<FieldValue>%TargetName%</FieldValue>
			<FieldName>Target Name</FieldName>
		</ITRTAlertField>
		<ITRTAlertField>
			<Suppression>0</Suppression>
			<Guid>{C591135F-51D9-4D53-A9FB-8CA6D3FE7485}</Guid>
			<FieldValue>%OperatorName%</FieldValue>
			<FieldName>Operator Name</FieldName>
		</ITRTAlertField>
	</AlertFields>
</ITRTProcessingRule>

0 Igor.Ilyin over 5 years ago

The third one, "User account enabled by unauthorized personnel with computer account filtering"

User account enabled by unauthorized personnel with computer account filtering.xml

Fullscreen

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

<?xml version="1.0" encoding="utf-8" ?>

<!--
==============================================================================

Copyright 2020 Quest Software Inc. ALL RIGHTS RESERVED.

$Workfile: User account enabled by unauthorized personnel with computer account filtering.xml $
$Revision: 0 $
$Modtime: 7/2/2020 3:44:42 AM $

==============================================================================
THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
==============================================================================
-->

<ITRTProcessingRule original_parent="\Configuration\Objects\{F81E88B8-5629-4698-AEB7-38731A4B1520}\RuleGroups\{C54162A9-E4D0-4747-97A1-8B0FFF7E0B85}\Rules">
	<LimitEventsCount>10</LimitEventsCount>
	<SuppressBySeverity>0</SuppressBySeverity>
	<Description><![CDATA[This rule is matched when a user account is enabled by personnel not specified as authorized. The rule's parameter is Authorized Groups. When specifying the Authorized Groups, include groups whose members are allowed to manage user accounts.
The rule disables both the operator account and the enabled account.
This rule cannot be used to monitor for actions performed using agent account.]]></Description>
	<GenerateAlert>1</GenerateAlert>
	<AlertInitialState>0</AlertInitialState>
	<Name>User account enabled by unauthorized personnel, with computer account filtering</Name>
	<Guid>{6FEBFEDA-DEE2-4C00-BCF0-75CF6F77901D}</Guid>
	<MatchCondition>01000000030500003C00720075006C006500200074007900700065003D002200520045004C0022002000760065007200730069006F006E003D00220031002E00300022003E000D000A003C0061007200670075006D0065006E00740073003E000D000A0020002000200020003C0061007200670075006D0065006E007400200064006900730070006C00610079006E0061006D0065003D002200470072006F007500700020004C00690073007400220020006E0061006D0065003D002200470072006F007500700020004C006900730074002200200063006C006100730073003D0022004C00690073007400220020006400650073006300720069007000740069006F006E003D002200410020006C0069007300740020006F0066002000670072006F00750070007300200066006F00720020006D0061006E006100670069006E0067002000750073006500720020006100630063006F0075006E0074007300200069006E00200061006E0020006F007200670061006E0069007A006100740069006F006E0022003E000D000A00200020002000200020002000200020003C00760061006C00750065003E002200410064006D0069006E006900730074007200610074006F007200730022002C0022004100630063006F0075006E00740020004F00700065007200610074006F007200730022003C002F00760061006C00750065003E000D000A0020002000200020003C002F0061007200670075006D0065006E0074003E000D000A0020002000200020003C0061007200670075006D0065006E007400200064006900730070006C00610079006E0061006D0065003D00220043006F006E007300690064006500720020004F00700065007200610074006F007200200043006F006D007000750074006500720020004100630063006F0075006E0074007300220020006E0061006D0065003D0022004F00700065007200610074006F00720043006F006D00700075007400650072004100630063006F0075006E0074007300220020006400650073006300720069007000740069006F006E003D002200300020002D0020006500780063006C0075006400650020006F00700065007200610074006F007200200063006F006D007000750074006500720020006100630063006F0075006E00740073002000660072006F006D00200063006F006E00730069006400650072006100740069006F006E002C002000310020002D00200063006F006E007300690064006500720020006F00700065007200610074006F007200200063006F006D007000750074006500720020006100630063006F0075006E00740073002E002200200063006C006100730073003D0022004E0075006D0062006500720022003E000D000A00200020002000200020002000200020003C00760061006C00750065003E0030003C002F00760061006C00750065003E000D000A0020002000200020003C002F0061007200670075006D0065006E0074003E000D000A003C002F0061007200670075006D0065006E00740073003E000D000A003C00700072006500660069006C007400650072003E000D000A003C002F00700072006500660069006C007400650072003E000D000A003C0062006F00640079003E000D000A000D000A006400650066002000760061006C006900640061007400650043006F006D00700075007400650072004100630063006F0075006E007400280070006100720061006D002C0020007300740072004E00290020003A003D000D000A007B000D000A0020002000200020006E006F0074002000280070006100720061006D0020003D0020003000200061006E0064002000730075006200730074007200280020007300740072004E002C0020007300740072006C0065006E0028007300740072004E00290020002D00200031002C00200031002000290020003D00200022002400220029000D000A007D000D000A000D000A004500760065006E0074004900440020003D00200034003700320032000D000A0061006E00640020006E006F00740020006500780069007300740028002000700072006500760069006F00750073005F006C0069006D00280020005A002E004500760065006E0074004900440020003D0020003400370032003000200061006E00640020005A002E0053007400720069006E006700310020003D00200053007400720069006E00670031002C0020002200300030003A00300030003A003000310022002000290029000D000A0061006E00640020006E006F0074002000690073005F00630075007200720065006E0074005F0075007300650072002800200053007400720069006E00670036002C00200053007400720069006E0067003500200029000D000A0061006E00640020006E006F00740020006D0065006D006200650072005F006F006600280020007300740072006300610074002800200053007400720069006E00670036002C00200022005C005C0022002C00200053007400720069006E0067003500200029002C0020006100720072006100790028003C0070006100720061006D00650074006500720020006E0061006D0065003D002200470072006F007500700020004C0069007300740022002F003E0029002C0020007400720075006500200029000D000A0061006E0064002000760061006C006900640061007400650043006F006D00700075007400650072004100630063006F0075006E00740028003C0070006100720061006D00650074006500720020006E0061006D0065003D0022004F00700065007200610074006F00720043006F006D00700075007400650072004100630063006F0075006E007400730022003E003C002F0070006100720061006D0065007400650072003E002C00200053007400720069006E006700350029000D000A0061006E00640020007300650074005F0061006C006500720074005F006600690065006C006400280022004F00700065007200610074006F0072004E0061006D00650022002C00200053007400720069006E00670035002C002000740072007500650029000D000A0061006E00640020007300650074005F0061006C006500720074005F006600690065006C006400280022004F00700065007200610074006F00720044006F006D00610069006E0022002C00200053007400720069006E00670036002C002000740072007500650029000D000A0061006E00640020007300650074005F0061006C006500720074005F006600690065006C006400280022005400610072006700650074004E0061006D00650022002C00200053007400720069006E00670031002C002000740072007500650029000D000A0061006E00640020007300650074005F0061006C006500720074005F006600690065006C0064002800220054006100720067006500740044006F006D00610069006E0022002C00200053007400720069006E00670032002C002000740072007500650029003B000D000A000D000A003C002F0062006F00640079003E000D000A003C002F00720075006C0065003E00</MatchCondition>
	<AlertSeverity>32</AlertSeverity>
	<Enabled>1</Enabled>
	<SuppressByAlertCode>0</SuppressByAlertCode>
	<Schedule>00000000000000000000000000000000000000000000000000000000</Schedule>
	<VendorKnowledgeBase>01000000EA0000004F006E006C007900200061007500740068006F00720069007A00650064002000610064006D0069006E006900730074007200610074006F00720073002000730068006F0075006C006400200065006E00610062006C0065002000750073006500720020006100630063006F0075006E00740073002E00200049006600200073006F006D0065006F006E006500200065006C0073006500200064006F00650073002C002000740068006900730020006D0061007900200069006E00640069006300610074006500200061002000700072006F0062006C0065006D002E00200049006E00200073007500630068002000630061007300650073002C00200074006800650020006D006F007400690076006100740069006F006E00200066006F007200200065006E00610062006C0069006E006700200074006800650020006100630063006F0075006E007400200069007300200075006E006B006E006F0077006E002E002000570068006100740020006900730020006D006F00720065002C002000740068006500200063006F00720070006F007200610074006500200070006F006C006900630079002000690073002000760069006F006C0061007400650064002000740068006900730020007700610079002E00</VendorKnowledgeBase>
	<ConditionType>{E00EE0F1-B3DF-4122-89B4-738EF5EC1C52}</ConditionType>
	<SuppressByName>0</SuppressByName>
	<AlertSuppression>0</AlertSuppression>
	<CustomerKnowledgeBase>0100000000000000</CustomerKnowledgeBase>
	<Distribution></Distribution>
	<AlertName>Account %Target Account Domain%\%Target Account Name% enabled by %Operator Account Domain%\%Operator Account Name%</AlertName>
	<SuppressByRuleID>0</SuppressByRuleID>
	<DoNotSaveEvents>0</DoNotSaveEvents>
	<SuppressByHostName>0</SuppressByHostName>
	<Condition></Condition>
	<AlertComment></AlertComment>
	<FilterCondition>0100000000000000</FilterCondition>
	<AlertDescription></AlertDescription>
	<ScheduleEnabled>0</ScheduleEnabled>
	<SuppressBySiteID>0</SuppressBySiteID>
	<AlertAssignment></AlertAssignment>
	<RuleDistribution>0</RuleDistribution>
	<AlertCode>AE_AD_SEC_0131 (2)</AlertCode>
	
	<NotificationFormats>
		<ITRTNotificationFormat>
			<Guid>{DFC92E40-3098-4627-BDF5-2C0266AEBF6D}</Guid>
			<ComposerTemplate>01000000F834885B1C14B949960CC37CE508B1D02100000049006E005400720075007300740020002500530065007600650072006900740079002500200061006C0065007200740020002D00200025004E0061006D0065002500050000007500740066002D003800BD01000025004400650073006300720069007000740069006F006E0025000D000A000A000A0041006C0065007200740020007700610073002000670065006E0065007200610074006500640020006F006E00200063006F006D00700075007400650072002000250041006C006500720074002E0048006F00730074004E0061006D00650025002E000A0041006C0065007200740020007700610073002000670065006E006500720061007400650064002000610074002000250041006C006500720074002E00540069006D006500470065006E006500720061007400650064004C006F00630061006C00250020002800250041006C006500720074002E00540069006D006500470065006E006500720061007400650064002500200047004D00540029002E000D000A000A000A0046006F007200200061006C00650072007400200069006E0066006F0072006D006100740069006F006E002C00200066006F006C006C006F007700200074006800650020006C0069006E006B00200074006F0020004D006F006E00690074006F00720069006E006700200043006F006E0073006F006C0065003A00200025006F007200670070006100720061006D003A005700450042004D004F004E00490054004F005200550052004C002500250061006C006500720074002E0061006C006500720074006900640025000D000A000A0046006F00720020006500760065006E007400200061006E0061006C0079007300690073002C00200066006F006C006C006F007700200074006800650020006C0069006E006B00200074006F0020004900540020005300650063007500720069007400790020005300650061007200630068003A002000220025006F007200670070006100720061006D003A0049005400530065006100720063006800410064006400720065007300730025002F0023002F007300650061007200630068002F006500760065006E00740073003F0071003D004500760065006E00740049004400250025003300440025004500760065006E007400490044002500250025003200300041004E0044002500250032003000570068006F00250025003300440025002500320032002500570068006F0025002500250032003200250025003200300041004E00440025002500320030005700680065007200650025002500330044002500250032003200250057006800650072006500250025002500320032002200</ComposerTemplate>
			<ComposerId>{C40DBB2E-DF56-43AC-8392-EFB2D0DDCC5A}</ComposerId>
			<Enabled>1</Enabled>
			<NotificationType>{E01E93C2-938C-4BBD-88D9-0FD3B0E631E4}</NotificationType>
			
		</ITRTNotificationFormat>
	</NotificationFormats>
	<DataSources>
		<ITRTRuleDataSource>
			<Guid>{EAA31AEB-1F6D-45B8-9EC8-10EE06D97110}</Guid>
			<DataSourceId>{A8CFC803-CDAD-47C5-B195-4C043A4F4BC7}</DataSourceId>
			
		</ITRTRuleDataSource>
	</DataSources>
	<ResponseActions>
		<ITRTResponseAction>
			<ProviderConfig>01000000260000007B00360042003600310030004600330034002D0032003700310044002D0034003400340046002D0039003600450033002D004500330030004300430041003900340045003800300036007D0002000000260000007B00340031004400420030004500390034002D0031004400310032002D0034004400360030002D0039004600440031002D003800350031004200370036003500440036004100440035007D0015000000250054006100720067006500740020004100630063006F0075006E00740020004E0061006D0065002500260000007B00460045004600380046004200410038002D0041004200330044002D0034003900430039002D0038003200360031002D003300430042003700440045003500410041003400380033007D0017000000250054006100720067006500740020004100630063006F0075006E007400200044006F006D00610069006E002500</ProviderConfig>
			<Guid>{B2354848-A20E-48C4-B473-3642E65B6D31}</Guid>
			<Timeout>0</Timeout>
			<Distribution></Distribution>
			<Enabled>0</Enabled>
			<ProviderId>{E5D8E6C5-488A-42BF-B636-065E970F0067}</ProviderId>
			<ExecutionOrder>1</ExecutionOrder>
			<Destination>0</Destination>
			
		</ITRTResponseAction>
		<ITRTResponseAction>
			<ProviderConfig>01000000260000007B00360042003600310030004600330034002D0032003700310044002D0034003400340046002D0039003600450033002D004500330030004300430041003900340045003800300036007D0002000000260000007B00340031004400420030004500390034002D0031004400310032002D0034004400360030002D0039004600440031002D003800350031004200370036003500440036004100440035007D001700000025004F00700065007200610074006F00720020004100630063006F0075006E00740020004E0061006D0065002500260000007B00460045004600380046004200410038002D0041004200330044002D0034003900430039002D0038003200360031002D003300430042003700440045003500410041003400380033007D001900000025004F00700065007200610074006F00720020004100630063006F0075006E007400200044006F006D00610069006E002500</ProviderConfig>
			<Guid>{AC693D4F-76B1-4661-A084-458627D5D2AF}</Guid>
			<Timeout>0</Timeout>
			<Distribution></Distribution>
			<Enabled>0</Enabled>
			<ProviderId>{E5D8E6C5-488A-42BF-B636-065E970F0067}</ProviderId>
			<ExecutionOrder>0</ExecutionOrder>
			<Destination>0</Destination>
			
		</ITRTResponseAction>
		<ITRTResponseAction>
			<ProviderConfig>010000000F0000003200350035002E003200350035002E003200350035002E00320035003500060000007000750062006C006900630001000000360003000000310030003000100000000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000001000000060F000000250061006C006500720074002E0041006C006500720074004900640025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000A000000060E000000250061006C006500720074002E00520075006C0065004900440025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000B0000000610000000250061006C006500720074002E00520075006C0065004E0061006D00650025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000C0000000610000000250061006C006500720074002E0048006F00730074004E0061006D00650025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000D0000000612000000250061006C006500720074002E005300650072007600650072004E0061006D00650025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000E0000000613000000250061006C006500720074002E00470065006E006500720061007400650064004F006E0025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000F0000000611000000250061006C006500720074002E0041006C0065007200740043006F006400650025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000020000000615000000250061006C006500720074002E00540069006D006500470065006E0065007200610074006500640025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000003000000061A000000250061006C006500720074002E00540069006D006500470065006E006500720061007400650064004C006F00630061006C0025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000004000000060D000000250061006C006500720074002E005300740061007400650025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000005000000060C000000250061006C006500720074002E004E0061006D00650025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000060000000613000000250061006C006500720074002E004400650073006300720069007000740069006F006E0025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000070000000610000000250061006C006500720074002E005300650076006500720069007400790025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000008000000060F000000250061006C006500720074002E0043006F006D006D0065006E00740025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000090000000612000000250061006C006500720074002E00410073007300690067006E006500640054006F0025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000010000000062700000025006F007200670070006100720061006D003A005700450042004D004F004E00490054004F005200550052004C002500250061006C006500720074002E0061006C00650072007400690064002500</ProviderConfig>
			<Guid>{FAEFCBEC-6366-4D74-90F8-5FBF7A1F386E}</Guid>
			<Timeout>0</Timeout>
			<Distribution></Distribution>
			<Enabled>0</Enabled>
			<ProviderId>{C3DFC923-4037-4C1B-A652-77767EBAF710}</ProviderId>
			<ExecutionOrder>2</ExecutionOrder>
			<Destination>0</Destination>
			
		</ITRTResponseAction>
	</ResponseActions>
	<AlertFields>
		<ITRTAlertField>
			<Suppression>0</Suppression>
			<Guid>{3966DE27-5670-4874-B0CF-2E2B8441D108}</Guid>
			<FieldValue>%TargetName%</FieldValue>
			<FieldName>Target Account Name</FieldName>
			
		</ITRTAlertField>
		<ITRTAlertField>
			<Suppression>0</Suppression>
			<Guid>{B1AE2630-EACB-4A51-8EAD-40A969E0E1BB}</Guid>
			<FieldValue>%TargetDomain%</FieldValue>
			<FieldName>Target Account Domain</FieldName>
			
		</ITRTAlertField>
		<ITRTAlertField>
			<Suppression>0</Suppression>
			<Guid>{970AA464-C71B-46D9-B56D-B2B8F746E695}</Guid>
			<FieldValue>%OperatorDomain%</FieldValue>
			<FieldName>Operator Account Domain</FieldName>
			
		</ITRTAlertField>
		<ITRTAlertField>
			<Suppression>0</Suppression>
			<Guid>{41339110-7070-40CC-897F-BB62D693C86B}</Guid>
			<FieldValue>%OperatorName%</FieldValue>
			<FieldName>Operator Account Name</FieldName>
			
		</ITRTAlertField>
	</AlertFields>
</ITRTProcessingRule>

0 benybb over 5 years ago in reply to Igor.Ilyin

thanks

0 Igor.Ilyin over 5 years ago

The fourth one, "Multiple failed logons by the same user with computer account filtering"

Multiple failed logons by the same user with computer account filtering.xml

Fullscreen

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

<?xml version="1.0" encoding="utf-8" ?>

<!--
==============================================================================

Copyright 2020 Quest Software Inc. ALL RIGHTS RESERVED.

$Workfile: Multiple failed logons by the same user with computer account filtering.xml $
$Revision: 0 $
$Modtime: 7/2/2020 9:32:17 AM $

==============================================================================
THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
==============================================================================
-->

<ITRTProcessingRule original_parent="\Configuration\Objects\{F81E88B8-5629-4698-AEB7-38731A4B1520}\RuleGroups\{C54162A9-E4D0-4747-97A1-8B0FFF7E0B85}\Rules">
	<LimitEventsCount>10</LimitEventsCount>
	<SuppressBySeverity>0</SuppressBySeverity>
	<Description><![CDATA[This rule is matched when there are more than the specified number of failed logons made by the same user within the specified period of time.
The rule's parameters are Threshold and Time Period. When specifying the Threshold, supply the number of failed logon attempts. The rule will be matched when the threshold is exceeded. When specifying the Time Period, supply the time length within which the attempts must occur.]]></Description>
	<GenerateAlert>1</GenerateAlert>
	<AlertInitialState>0</AlertInitialState>
	<Name>Multiple failed logons by the same user, with computer account filtering</Name>
	<Guid>{9EC55E7B-B8EC-4420-84CC-4EDEFC271EB0}</Guid>
	<MatchCondition>010000004A0700003C003F0078006D006C002000760065007200730069006F006E003D00220031002E00300022003F003E000D000A003C00720075006C006500200074007900700065003D002200520045004C0022002000760065007200730069006F006E003D00220031002E00300022003E000D000A003C0061007200670075006D0065006E00740073003E000D000A0020002000200020003C0061007200670075006D0065006E007400200064006900730070006C00610079006E0061006D0065003D002200540069006D006500200070006500720069006F006400220020006E0061006D0065003D002200540069006D006500200070006500720069006F006400220020006400650073006300720069007000740069006F006E003D002200540069006D006500200070006500720069006F0064002000770069007400680069006E00200077006800690063006800200074006800650020006500760065006E007400730020006F0063006300750072007200650064002E002200200063006C006100730073003D0022004400610074006500540069006D006500520061006E006700650022003E000D000A00200020002000200020002000200020003C00760061006C00750065003E002200300030003A00300031003A003000300022003C002F00760061006C00750065003E000D000A0020002000200020003C002F0061007200670075006D0065006E0074003E000D000A0020002000200020003C0061007200670075006D0065006E007400200064006900730070006C00610079006E0061006D0065003D0022005400680072006500730068006F006C006400220020006E0061006D0065003D0022005400680072006500730068006F006C006400220020006400650073006300720069007000740069006F006E003D0022004500760065006E007400730020007400680072006500730068006F006C0064002E002200200063006C006100730073003D0022004E0075006D0062006500720022003E000D000A00200020002000200020002000200020003C00760061006C00750065003E0035003C002F00760061006C00750065003E000D000A0020002000200020003C002F0061007200670075006D0065006E0074003E000D000A0020002000200020003C0061007200670075006D0065006E007400200064006900730070006C00610079006E0061006D0065003D00220043006F006E007300690064006500720020004F00700065007200610074006F007200200043006F006D007000750074006500720020004100630063006F0075006E0074007300220020006E0061006D0065003D0022004F00700065007200610074006F00720043006F006D00700075007400650072004100630063006F0075006E0074007300220020006400650073006300720069007000740069006F006E003D002200300020002D0020006500780063006C0075006400650020006F00700065007200610074006F007200200063006F006D007000750074006500720020006100630063006F0075006E00740073002000660072006F006D00200063006F006E00730069006400650072006100740069006F006E002C002000310020002D00200063006F006E007300690064006500720020006F00700065007200610074006F007200200063006F006D007000750074006500720020006100630063006F0075006E00740073002E002200200063006C006100730073003D0022004E0075006D0062006500720022003E000D000A00200020002000200020002000200020003C00760061006C00750065003E0030003C002F00760061006C00750065003E000D000A0020002000200020003C002F0061007200670075006D0065006E0074003E000D000A003C002F0061007200670075006D0065006E00740073003E000D000A003C00700072006500660069006C007400650072003E000D000A000D000A004500760065006E0074004900440020003D002000340036003200350020000D000A0061006E0064002000280020007300740072006900650071007500280053007400720069006E00670038002C0020002200300078006300300030003000300030003600640022002900200061006E00640020007300740072006900650071007500280053007400720069006E006700310030002C002000220030007800630030003000300030003000360034002200290020006F0072000D000A002000200020002000200020007300740072006900650071007500280053007400720069006E00670038002C0020002200300078006300300030003000300030003600640022002900200061006E00640020007300740072006900650071007500280053007400720069006E006700310030002C0020002200300078006300300030003000300030003600610022002900200029003B000D000A000D000A003C002F00700072006500660069006C007400650072003E000D000A003C0062006F00640079003E000D000A000D000A006400650066002000760061006C006900640061007400650043006F006D00700075007400650072004100630063006F0075006E007400280070006100720061006D002C0020007300740072004E00290020003A003D000D000A007B000D000A0020002000200020006E006F0074002000280070006100720061006D0020003D0020003000200061006E0064002000730075006200730074007200280020007300740072004E002C0020007300740072006C0065006E0028007300740072004E00290020002D00200031002C00200031002000290020003D00200022002400220029000D000A007D000D000A000D000A0063006F0075006E0074002800730065006C006500630074005F00660069006C007400650072006500640028000D000A0020002000200020004500760065006E0074004900440020003D0020003400360032003500200061006E0064002000760061006C006900640061007400650043006F006D00700075007400650072004100630063006F0075006E00740028003C0070006100720061006D00650074006500720020006E0061006D0065003D0022004F00700065007200610074006F00720043006F006D00700075007400650072004100630063006F0075006E007400730022003E003C002F0070006100720061006D0065007400650072003E002C00200053007400720069006E006700360029000D000A00200020002000200020002000200020002000200020002000200020002000200020002000200061006E006400200028007300740072006900650071007500280053007400720069006E00670038002C0020002200300078006300300030003000300030003600640022002900200061006E00640020007300740072006900650071007500280053007400720069006E006700310030002C002000220030007800630030003000300030003000360034002200290020006F0072000D000A002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020007300740072006900650071007500280053007400720069006E00670038002C0020002200300078006300300030003000300030003600640022002900200061006E00640020007300740072006900650071007500280053007400720069006E006700310030002C002000220030007800630030003000300030003000360061002200290029002C000D000A0020002000200020007300740072006900650071007500280020005A002E0053007400720069006E00670036002C00200053007400720069006E006700360020002900200061006E00640020007300740072006900650071007500280020005A002E0053007400720069006E00670037002C00200053007400720069006E0067003700200029002C000D000A0020002000200020003C0070006100720061006D00650074006500720020006E0061006D0065003D002200540069006D006500200070006500720069006F00640022003E003C002F0070006100720061006D0065007400650072003E002000290029000D000A00200020002000200020002000200020002600670074003B003D0020003C0070006100720061006D00650074006500720020006E0061006D0065003D0022005400680072006500730068006F006C00640022003E003C002F0070006100720061006D0065007400650072003E000D000A000D000A0061006E006400200065006D007000740079002800730065006C006500630074005F006D0061007400630068006500730028000D000A0020002000200020007300740072006900650071007500280020005A005B0030005D002E0053007400720069006E00670036002C00200053007400720069006E006700360020002900200061006E00640020007300740072006900650071007500280020005A005B0030005D002E0053007400720069006E00670037002C00200053007400720069006E0067003700200029002C000D000A0020002000200020003C0070006100720061006D00650074006500720020006E0061006D0065003D002200540069006D006500200070006500720069006F00640022003E003C002F0070006100720061006D0065007400650072003E000D000A002000200020002000290029000D000A000D000A0061006E00640020007300650074005F0061006C006500720074005F006600690065006C006400280022005F005500730072004E0061006D00650022002C00200053007400720069006E00670036002C002000740072007500650029000D000A0061006E00640020007300650074005F0061006C006500720074005F006600690065006C006400280022005F0055007300720044006F006D00610069006E0022002C00200053007400720069006E00670037002C002000740072007500650029000D000A0061006E00640020007300650074005F0061006C006500720074005F006600690065006C006400280022005F0057006F0072006B00530074006100740069006F006E0022002C00200053007400720069006E006700310034002C002000740072007500650029003B000D000A000D000A003C002F0062006F00640079003E000D000A003C002F00720075006C0065003E000D000A00</MatchCondition>
	<AlertSeverity>32</AlertSeverity>
	<Enabled>1</Enabled>
	<SuppressByAlertCode>0</SuppressByAlertCode>
	<Schedule>00000000000000000000000000000000000000000000000000000000</Schedule>
	<VendorKnowledgeBase>01000000530000004D0075006C007400690070006C00650020006600610069006C006500640020006C006F0067006F006E00730020006D0061007900200069006E00640069006300610074006500200069006E0074007200750064006500720020006100630074006900760069007400790020007300750063006800200061007300200061002000620072007500740065002D0066006F007200630065002000610074007400610063006B002E00</VendorKnowledgeBase>
	<ConditionType>{E00EE0F1-B3DF-4122-89B4-738EF5EC1C52}</ConditionType>
	<SuppressByName>0</SuppressByName>
	<AlertSuppression>0</AlertSuppression>
	<CustomerKnowledgeBase>0100000000000000</CustomerKnowledgeBase>
	<Distribution></Distribution>
	<AlertName>There were %match.eventcount% failed logons by user %User Domain%\%User Name% from workstation %Workstation%</AlertName>
	<SuppressByRuleID>0</SuppressByRuleID>
	<DoNotSaveEvents>0</DoNotSaveEvents>
	<SuppressByHostName>0</SuppressByHostName>
	<Condition></Condition>
	<AlertComment></AlertComment>
	<FilterCondition>0100000000000000</FilterCondition>
	<AlertDescription></AlertDescription>
	<ScheduleEnabled>0</ScheduleEnabled>
	<SuppressBySiteID>0</SuppressBySiteID>
	<AlertAssignment></AlertAssignment>
	<RuleDistribution>0</RuleDistribution>
	<AlertCode>AE_AD_ATP_0035 (2)</AlertCode>
	<NotificationFormats>
		<ITRTNotificationFormat>
			<Guid>{AC77BF67-2CBC-44D7-833D-45BA6D06670F}</Guid>
			<ComposerTemplate>01000000F834885B1C14B949960CC37CE508B1D02100000049006E005400720075007300740020002500530065007600650072006900740079002500200061006C0065007200740020002D00200025004E0061006D0065002500050000007500740066002D003800BD01000025004400650073006300720069007000740069006F006E0025000D000A000A000A0041006C0065007200740020007700610073002000670065006E0065007200610074006500640020006F006E00200063006F006D00700075007400650072002000250041006C006500720074002E0048006F00730074004E0061006D00650025002E000A0041006C0065007200740020007700610073002000670065006E006500720061007400650064002000610074002000250041006C006500720074002E00540069006D006500470065006E006500720061007400650064004C006F00630061006C00250020002800250041006C006500720074002E00540069006D006500470065006E006500720061007400650064002500200047004D00540029002E000D000A000A000A0046006F007200200061006C00650072007400200069006E0066006F0072006D006100740069006F006E002C00200066006F006C006C006F007700200074006800650020006C0069006E006B00200074006F0020004D006F006E00690074006F00720069006E006700200043006F006E0073006F006C0065003A00200025006F007200670070006100720061006D003A005700450042004D004F004E00490054004F005200550052004C002500250061006C006500720074002E0061006C006500720074006900640025000D000A000A0046006F00720020006500760065006E007400200061006E0061006C0079007300690073002C00200066006F006C006C006F007700200074006800650020006C0069006E006B00200074006F0020004900540020005300650063007500720069007400790020005300650061007200630068003A002000220025006F007200670070006100720061006D003A0049005400530065006100720063006800410064006400720065007300730025002F0023002F007300650061007200630068002F006500760065006E00740073003F0071003D004500760065006E00740049004400250025003300440025004500760065006E007400490044002500250025003200300041004E0044002500250032003000570068006F00250025003300440025002500320032002500570068006F0025002500250032003200250025003200300041004E00440025002500320030005700680065007200650025002500330044002500250032003200250057006800650072006500250025002500320032002200</ComposerTemplate>
			<ComposerId>{C40DBB2E-DF56-43AC-8392-EFB2D0DDCC5A}</ComposerId>
			<Enabled>1</Enabled>
			<NotificationType>{E01E93C2-938C-4BBD-88D9-0FD3B0E631E4}</NotificationType>
		</ITRTNotificationFormat>
	</NotificationFormats>
	<DataSources>
		<ITRTRuleDataSource>
			<Guid>{B619E7A5-187B-4017-AE48-D681F3AE6DBE}</Guid>
			<DataSourceId>{A8CFC803-CDAD-47C5-B195-4C043A4F4BC7}</DataSourceId>
		</ITRTRuleDataSource>
	</DataSources>
	<ResponseActions>
		<ITRTResponseAction>
			<ProviderConfig>010000000F0000003200350035002E003200350035002E003200350035002E00320035003500060000007000750062006C006900630001000000360003000000310030003000100000000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000001000000060F000000250061006C006500720074002E0041006C006500720074004900640025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000A000000060E000000250061006C006500720074002E00520075006C0065004900440025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000B0000000610000000250061006C006500720074002E00520075006C0065004E0061006D00650025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000C0000000610000000250061006C006500720074002E0048006F00730074004E0061006D00650025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000D0000000612000000250061006C006500720074002E005300650072007600650072004E0061006D00650025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000E0000000613000000250061006C006500720074002E00470065006E006500720061007400650064004F006E0025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000F0000000611000000250061006C006500720074002E0041006C0065007200740043006F006400650025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000020000000615000000250061006C006500720074002E00540069006D006500470065006E0065007200610074006500640025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000003000000061A000000250061006C006500720074002E00540069006D006500470065006E006500720061007400650064004C006F00630061006C0025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000004000000060D000000250061006C006500720074002E005300740061007400650025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000005000000060C000000250061006C006500720074002E004E0061006D00650025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000060000000613000000250061006C006500720074002E004400650073006300720069007000740069006F006E0025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000070000000610000000250061006C006500720074002E005300650076006500720069007400790025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000008000000060F000000250061006C006500720074002E0043006F006D006D0065006E00740025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000090000000612000000250061006C006500720074002E00410073007300690067006E006500640054006F0025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000010000000062700000025006F007200670070006100720061006D003A005700450042004D004F004E00490054004F005200550052004C002500250061006C006500720074002E0061006C00650072007400690064002500</ProviderConfig>
			<Guid>{4A3A1A11-685D-426B-AD27-77FAA955352C}</Guid>
			<Timeout>0</Timeout>
			<Distribution></Distribution>
			<Enabled>0</Enabled>
			<ProviderId>{C3DFC923-4037-4C1B-A652-77767EBAF710}</ProviderId>
			<ExecutionOrder>1</ExecutionOrder>
			<Destination>0</Destination>
		</ITRTResponseAction>
		<ITRTResponseAction>
			<ProviderConfig>01000000260000007B00360042003600310030004600330034002D0032003700310044002D0034003400340046002D0039003600450033002D004500330030004300430041003900340045003800300036007D0002000000260000007B00340031004400420030004500390034002D0031004400310032002D0034004400360030002D0039004600440031002D003800350031004200370036003500440036004100440035007D000B0000002500550073006500720020004E0061006D0065002500260000007B00460045004600380046004200410038002D0041004200330044002D0034003900430039002D0038003200360031002D003300430042003700440045003500410041003400380033007D000D00000025005500730065007200200044006F006D00610069006E002500</ProviderConfig>
			<Guid>{D46B0090-DF57-4520-832B-B37029D59822}</Guid>
			<Timeout>0</Timeout>
			<Distribution></Distribution>
			<Enabled>0</Enabled>
			<ProviderId>{E5D8E6C5-488A-42BF-B636-065E970F0067}</ProviderId>
			<ExecutionOrder>0</ExecutionOrder>
			<Destination>0</Destination>
		</ITRTResponseAction>
	</ResponseActions>
	<AlertFields>
		<ITRTAlertField>
			<Suppression>0</Suppression>
			<Guid>{2AEA1EDD-BFB9-4D28-A8F3-89B165C8260B}</Guid>
			<FieldValue>%_UsrDomain%</FieldValue>
			<FieldName>User Domain</FieldName>
		</ITRTAlertField>
		<ITRTAlertField>
			<Suppression>0</Suppression>
			<Guid>{736054BF-D2CE-41C8-95E8-32DB27E64635}</Guid>
			<FieldValue>%_WorkStation%</FieldValue>
			<FieldName>Workstation</FieldName>
		</ITRTAlertField>
		<ITRTAlertField>
			<Suppression>0</Suppression>
			<Guid>{FB48EECF-1E40-451E-9519-FA339F0760F2}</Guid>
			<FieldValue>%_UsrName%</FieldValue>
			<FieldName>User Name</FieldName>
		</ITRTAlertField>
	</AlertFields>
</ITRTProcessingRule>

0 benybb over 5 years ago in reply to Igor.Ilyin

HI

Regarding :"Multiple failed logons by the same user with computer account filtering"

This new one send me still a lot of alerts with the "Computer Name" as Username - like those examples :

InTrust Major alert - There were 5 failed logons by user DOMAIN\MSTS-TAL1 from workstation MSTS-TAL1

Alert was generated on computer msts-tal1.DOMAIN.COM

InTrust Major alert - There were 5 failed logons by user DOMAIN\MSTS-LEV4 from workstation MSTS-LEV4

Alert was generated on computer msts-lev4.DOMAIN.COM
- 0 Igor.Ilyin over 5 years ago in reply to benybb
  
  I made a change in the function in all 5 rules, so please replace them all. If the problem still persists, I will ask you to provide specific events that trigger the alert.
  
  FixRules.zip