Filter Out computer name in some Rules

benybb over 3 years ago

Hello,

I wish to filter out the computer name in some rules.

The rules makes False alerts with the computer name as user name.

How exactely can i do that ?

Thanks in advance

*********

Rule (I) : Member added to an administrative group

Member DOMAIN\JCT_Level_1_Support added to group Builtin\Administrators by DOMAIN\ELEC-403-111$.

Alert was generated on computer ELEC-403-111.DOMAIN.COM.

***************
Rule (I) : Change Password Attempt on Administrative Account

There was administrative account password change attempt by DOMAIN\LAU106-54-90$ user. Target account: LAU106-54-90\admin.

Alert was generated on computer LAU106-54-90.DOMAIN.COM.

****************
Rule (A) : User Account enabled by unauthorized personnel

Account T-LEC-9205\Ladmin enabled by DOMAIN\T-LEC-9205$.

Alert was generated on computer t-lec-9205.DOMAIN.COM

****************
Rule (A) : Multiple failed logons by the same user

There were 5 failed logons by user ADMIN\SAFECOM-LEV-ADM$ from workstation SAFECOM-LEV-ADM.

Alert was generated on computer p-baruch.DOMAIN.COM.

Parents

0 Igor.Ilyin over 3 years ago

The fourth one, "Multiple failed logons by the same user with computer account filtering"

Multiple failed logons by the same user with computer account filtering.xml

<?xml version="1.0" encoding="utf-8" ?>

<!--
==============================================================================

Copyright 2020 Quest Software Inc. ALL RIGHTS RESERVED.

$Workfile: Multiple failed logons by the same user with computer account filtering.xml $
$Revision: 0 $
$Modtime: 7/2/2020 9:32:17 AM $

==============================================================================
THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
==============================================================================
-->

<ITRTProcessingRule original_parent="\Configuration\Objects\{F81E88B8-5629-4698-AEB7-38731A4B1520}\RuleGroups\{C54162A9-E4D0-4747-97A1-8B0FFF7E0B85}\Rules">
	<LimitEventsCount>10</LimitEventsCount>
	<SuppressBySeverity>0</SuppressBySeverity>
	<Description><![CDATA[This rule is matched when there are more than the specified number of failed logons made by the same user within the specified period of time.
The rule's parameters are Threshold and Time Period. When specifying the Threshold, supply the number of failed logon attempts. The rule will be matched when the threshold is exceeded. When specifying the Time Period, supply the time length within which the attempts must occur.]]></Description>
	<GenerateAlert>1</GenerateAlert>
	<AlertInitialState>0</AlertInitialState>
	<Name>Multiple failed logons by the same user, with computer account filtering</Name>
	<Guid>{9EC55E7B-B8EC-4420-84CC-4EDEFC271EB0}</Guid>
	<MatchCondition>010000004A0700003C003F0078006D006C002000760065007200730069006F006E003D00220031002E00300022003F003E000D000A003C00720075006C006500200074007900700065003D002200520045004C0022002000760065007200730069006F006E003D00220031002E00300022003E000D000A003C0061007200670075006D0065006E00740073003E000D000A0020002000200020003C0061007200670075006D0065006E007400200064006900730070006C00610079006E0061006D0065003D002200540069006D006500200070006500720069006F006400220020006E0061006D0065003D002200540069006D006500200070006500720069006F006400220020006400650073006300720069007000740069006F006E003D002200540069006D006500200070006500720069006F0064002000770069007400680069006E00200077006800690063006800200074006800650020006500760065006E007400730020006F0063006300750072007200650064002E002200200063006C006100730073003D0022004400610074006500540069006D006500520061006E006700650022003E000D000A00200020002000200020002000200020003C00760061006C00750065003E002200300030003A00300031003A003000300022003C002F00760061006C00750065003E000D000A0020002000200020003C002F0061007200670075006D0065006E0074003E000D000A0020002000200020003C0061007200670075006D0065006E007400200064006900730070006C00610079006E0061006D0065003D0022005400680072006500730068006F006C006400220020006E0061006D0065003D0022005400680072006500730068006F006C006400220020006400650073006300720069007000740069006F006E003D0022004500760065006E007400730020007400680072006500730068006F006C0064002E002200200063006C006100730073003D0022004E0075006D0062006500720022003E000D000A00200020002000200020002000200020003C00760061006C00750065003E0035003C002F00760061006C00750065003E000D000A0020002000200020003C002F0061007200670075006D0065006E0074003E000D000A0020002000200020003C0061007200670075006D0065006E007400200064006900730070006C00610079006E0061006D0065003D00220043006F006E007300690064006500720020004F00700065007200610074006F007200200043006F006D007000750074006500720020004100630063006F0075006E0074007300220020006E0061006D0065003D0022004F00700065007200610074006F00720043006F006D00700075007400650072004100630063006F0075006E0074007300220020006400650073006300720069007000740069006F006E003D002200300020002D0020006500780063006C0075006400650020006F00700065007200610074006F007200200063006F006D007000750074006500720020006100630063006F0075006E00740073002000660072006F006D00200063006F006E00730069006400650072006100740069006F006E002C002000310020002D00200063006F006E007300690064006500720020006F00700065007200610074006F007200200063006F006D007000750074006500720020006100630063006F0075006E00740073002E002200200063006C006100730073003D0022004E0075006D0062006500720022003E000D000A00200020002000200020002000200020003C00760061006C00750065003E0030003C002F00760061006C00750065003E000D000A0020002000200020003C002F0061007200670075006D0065006E0074003E000D000A003C002F0061007200670075006D0065006E00740073003E000D000A003C00700072006500660069006C007400650072003E000D000A000D000A004500760065006E0074004900440020003D002000340036003200350020000D000A0061006E0064002000280020007300740072006900650071007500280053007400720069006E00670038002C0020002200300078006300300030003000300030003600640022002900200061006E00640020007300740072006900650071007500280053007400720069006E006700310030002C002000220030007800630030003000300030003000360034002200290020006F0072000D000A002000200020002000200020007300740072006900650071007500280053007400720069006E00670038002C0020002200300078006300300030003000300030003600640022002900200061006E00640020007300740072006900650071007500280053007400720069006E006700310030002C0020002200300078006300300030003000300030003600610022002900200029003B000D000A000D000A003C002F00700072006500660069006C007400650072003E000D000A003C0062006F00640079003E000D000A000D000A006400650066002000760061006C006900640061007400650043006F006D00700075007400650072004100630063006F0075006E007400280070006100720061006D002C0020007300740072004E00290020003A003D000D000A007B000D000A0020002000200020006E006F0074002000280070006100720061006D0020003D0020003000200061006E0064002000730075006200730074007200280020007300740072004E002C0020007300740072006C0065006E0028007300740072004E00290020002D00200031002C00200031002000290020003D00200022002400220029000D000A007D000D000A000D000A0063006F0075006E0074002800730065006C006500630074005F00660069006C007400650072006500640028000D000A0020002000200020004500760065006E0074004900440020003D0020003400360032003500200061006E0064002000760061006C006900640061007400650043006F006D00700075007400650072004100630063006F0075006E00740028003C0070006100720061006D00650074006500720020006E0061006D0065003D0022004F00700065007200610074006F00720043006F006D00700075007400650072004100630063006F0075006E007400730022003E003C002F0070006100720061006D0065007400650072003E002C00200053007400720069006E006700360029000D000A00200020002000200020002000200020002000200020002000200020002000200020002000200061006E006400200028007300740072006900650071007500280053007400720069006E00670038002C0020002200300078006300300030003000300030003600640022002900200061006E00640020007300740072006900650071007500280053007400720069006E006700310030002C002000220030007800630030003000300030003000360034002200290020006F0072000D000A002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020007300740072006900650071007500280053007400720069006E00670038002C0020002200300078006300300030003000300030003600640022002900200061006E00640020007300740072006900650071007500280053007400720069006E006700310030002C002000220030007800630030003000300030003000360061002200290029002C000D000A0020002000200020007300740072006900650071007500280020005A002E0053007400720069006E00670036002C00200053007400720069006E006700360020002900200061006E00640020007300740072006900650071007500280020005A002E0053007400720069006E00670037002C00200053007400720069006E0067003700200029002C000D000A0020002000200020003C0070006100720061006D00650074006500720020006E0061006D0065003D002200540069006D006500200070006500720069006F00640022003E003C002F0070006100720061006D0065007400650072003E002000290029000D000A00200020002000200020002000200020002600670074003B003D0020003C0070006100720061006D00650074006500720020006E0061006D0065003D0022005400680072006500730068006F006C00640022003E003C002F0070006100720061006D0065007400650072003E000D000A000D000A0061006E006400200065006D007000740079002800730065006C006500630074005F006D0061007400630068006500730028000D000A0020002000200020007300740072006900650071007500280020005A005B0030005D002E0053007400720069006E00670036002C00200053007400720069006E006700360020002900200061006E00640020007300740072006900650071007500280020005A005B0030005D002E0053007400720069006E00670037002C00200053007400720069006E0067003700200029002C000D000A0020002000200020003C0070006100720061006D00650074006500720020006E0061006D0065003D002200540069006D006500200070006500720069006F00640022003E003C002F0070006100720061006D0065007400650072003E000D000A002000200020002000290029000D000A000D000A0061006E00640020007300650074005F0061006C006500720074005F006600690065006C006400280022005F005500730072004E0061006D00650022002C00200053007400720069006E00670036002C002000740072007500650029000D000A0061006E00640020007300650074005F0061006C006500720074005F006600690065006C006400280022005F0055007300720044006F006D00610069006E0022002C00200053007400720069006E00670037002C002000740072007500650029000D000A0061006E00640020007300650074005F0061006C006500720074005F006600690065006C006400280022005F0057006F0072006B00530074006100740069006F006E0022002C00200053007400720069006E006700310034002C002000740072007500650029003B000D000A000D000A003C002F0062006F00640079003E000D000A003C002F00720075006C0065003E000D000A00</MatchCondition>
	<AlertSeverity>32</AlertSeverity>
	<Enabled>1</Enabled>
	<SuppressByAlertCode>0</SuppressByAlertCode>
	<Schedule>00000000000000000000000000000000000000000000000000000000</Schedule>
	<VendorKnowledgeBase>01000000530000004D0075006C007400690070006C00650020006600610069006C006500640020006C006F0067006F006E00730020006D0061007900200069006E00640069006300610074006500200069006E0074007200750064006500720020006100630074006900760069007400790020007300750063006800200061007300200061002000620072007500740065002D0066006F007200630065002000610074007400610063006B002E00</VendorKnowledgeBase>
	<ConditionType>{E00EE0F1-B3DF-4122-89B4-738EF5EC1C52}</ConditionType>
	<SuppressByName>0</SuppressByName>
	<AlertSuppression>0</AlertSuppression>
	<CustomerKnowledgeBase>0100000000000000</CustomerKnowledgeBase>
	<Distribution></Distribution>
	<AlertName>There were %match.eventcount% failed logons by user %User Domain%\%User Name% from workstation %Workstation%</AlertName>
	<SuppressByRuleID>0</SuppressByRuleID>
	<DoNotSaveEvents>0</DoNotSaveEvents>
	<SuppressByHostName>0</SuppressByHostName>
	<Condition></Condition>
	<AlertComment></AlertComment>
	<FilterCondition>0100000000000000</FilterCondition>
	<AlertDescription></AlertDescription>
	<ScheduleEnabled>0</ScheduleEnabled>
	<SuppressBySiteID>0</SuppressBySiteID>
	<AlertAssignment></AlertAssignment>
	<RuleDistribution>0</RuleDistribution>
	<AlertCode>AE_AD_ATP_0035 (2)</AlertCode>
	<NotificationFormats>
		<ITRTNotificationFormat>
			<Guid>{AC77BF67-2CBC-44D7-833D-45BA6D06670F}</Guid>
			<ComposerTemplate>01000000F834885B1C14B949960CC37CE508B1D02100000049006E005400720075007300740020002500530065007600650072006900740079002500200061006C0065007200740020002D00200025004E0061006D0065002500050000007500740066002D003800BD01000025004400650073006300720069007000740069006F006E0025000D000A000A000A0041006C0065007200740020007700610073002000670065006E0065007200610074006500640020006F006E00200063006F006D00700075007400650072002000250041006C006500720074002E0048006F00730074004E0061006D00650025002E000A0041006C0065007200740020007700610073002000670065006E006500720061007400650064002000610074002000250041006C006500720074002E00540069006D006500470065006E006500720061007400650064004C006F00630061006C00250020002800250041006C006500720074002E00540069006D006500470065006E006500720061007400650064002500200047004D00540029002E000D000A000A000A0046006F007200200061006C00650072007400200069006E0066006F0072006D006100740069006F006E002C00200066006F006C006C006F007700200074006800650020006C0069006E006B00200074006F0020004D006F006E00690074006F00720069006E006700200043006F006E0073006F006C0065003A00200025006F007200670070006100720061006D003A005700450042004D004F004E00490054004F005200550052004C002500250061006C006500720074002E0061006C006500720074006900640025000D000A000A0046006F00720020006500760065006E007400200061006E0061006C0079007300690073002C00200066006F006C006C006F007700200074006800650020006C0069006E006B00200074006F0020004900540020005300650063007500720069007400790020005300650061007200630068003A002000220025006F007200670070006100720061006D003A0049005400530065006100720063006800410064006400720065007300730025002F0023002F007300650061007200630068002F006500760065006E00740073003F0071003D004500760065006E00740049004400250025003300440025004500760065006E007400490044002500250025003200300041004E0044002500250032003000570068006F00250025003300440025002500320032002500570068006F0025002500250032003200250025003200300041004E00440025002500320030005700680065007200650025002500330044002500250032003200250057006800650072006500250025002500320032002200</ComposerTemplate>
			<ComposerId>{C40DBB2E-DF56-43AC-8392-EFB2D0DDCC5A}</ComposerId>
			<Enabled>1</Enabled>
			<NotificationType>{E01E93C2-938C-4BBD-88D9-0FD3B0E631E4}</NotificationType>
		</ITRTNotificationFormat>
	</NotificationFormats>
	<DataSources>
		<ITRTRuleDataSource>
			<Guid>{B619E7A5-187B-4017-AE48-D681F3AE6DBE}</Guid>
			<DataSourceId>{A8CFC803-CDAD-47C5-B195-4C043A4F4BC7}</DataSourceId>
		</ITRTRuleDataSource>
	</DataSources>
	<ResponseActions>
		<ITRTResponseAction>
			<ProviderConfig>010000000F0000003200350035002E003200350035002E003200350035002E00320035003500060000007000750062006C006900630001000000360003000000310030003000100000000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000001000000060F000000250061006C006500720074002E0041006C006500720074004900640025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000A000000060E000000250061006C006500720074002E00520075006C0065004900440025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000B0000000610000000250061006C006500720074002E00520075006C0065004E0061006D00650025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000C0000000610000000250061006C006500720074002E0048006F00730074004E0061006D00650025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000D0000000612000000250061006C006500720074002E005300650072007600650072004E0061006D00650025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000E0000000613000000250061006C006500720074002E00470065006E006500720061007400650064004F006E0025000C010000000300000006000000010000000400000001000000850F0000010000000200000001000000010000000F0000000611000000250061006C006500720074002E0041006C0065007200740043006F006400650025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000020000000615000000250061006C006500720074002E00540069006D006500470065006E0065007200610074006500640025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000003000000061A000000250061006C006500720074002E00540069006D006500470065006E006500720061007400650064004C006F00630061006C0025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000004000000060D000000250061006C006500720074002E005300740061007400650025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000005000000060C000000250061006C006500720074002E004E0061006D00650025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000060000000613000000250061006C006500720074002E004400650073006300720069007000740069006F006E0025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000070000000610000000250061006C006500720074002E005300650076006500720069007400790025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000008000000060F000000250061006C006500720074002E0043006F006D006D0065006E00740025000C010000000300000006000000010000000400000001000000850F000001000000020000000100000001000000090000000612000000250061006C006500720074002E00410073007300690067006E006500640054006F0025000C010000000300000006000000010000000400000001000000850F00000100000002000000010000000100000010000000062700000025006F007200670070006100720061006D003A005700450042004D004F004E00490054004F005200550052004C002500250061006C006500720074002E0061006C00650072007400690064002500</ProviderConfig>
			<Guid>{4A3A1A11-685D-426B-AD27-77FAA955352C}</Guid>
			<Timeout>0</Timeout>
			<Distribution></Distribution>
			<Enabled>0</Enabled>
			<ProviderId>{C3DFC923-4037-4C1B-A652-77767EBAF710}</ProviderId>
			<ExecutionOrder>1</ExecutionOrder>
			<Destination>0</Destination>
		</ITRTResponseAction>
		<ITRTResponseAction>
			<ProviderConfig>01000000260000007B00360042003600310030004600330034002D0032003700310044002D0034003400340046002D0039003600450033002D004500330030004300430041003900340045003800300036007D0002000000260000007B00340031004400420030004500390034002D0031004400310032002D0034004400360030002D0039004600440031002D003800350031004200370036003500440036004100440035007D000B0000002500550073006500720020004E0061006D0065002500260000007B00460045004600380046004200410038002D0041004200330044002D0034003900430039002D0038003200360031002D003300430042003700440045003500410041003400380033007D000D00000025005500730065007200200044006F006D00610069006E002500</ProviderConfig>
			<Guid>{D46B0090-DF57-4520-832B-B37029D59822}</Guid>
			<Timeout>0</Timeout>
			<Distribution></Distribution>
			<Enabled>0</Enabled>
			<ProviderId>{E5D8E6C5-488A-42BF-B636-065E970F0067}</ProviderId>
			<ExecutionOrder>0</ExecutionOrder>
			<Destination>0</Destination>
		</ITRTResponseAction>
	</ResponseActions>
	<AlertFields>
		<ITRTAlertField>
			<Suppression>0</Suppression>
			<Guid>{2AEA1EDD-BFB9-4D28-A8F3-89B165C8260B}</Guid>
			<FieldValue>%_UsrDomain%</FieldValue>
			<FieldName>User Domain</FieldName>
		</ITRTAlertField>
		<ITRTAlertField>
			<Suppression>0</Suppression>
			<Guid>{736054BF-D2CE-41C8-95E8-32DB27E64635}</Guid>
			<FieldValue>%_WorkStation%</FieldValue>
			<FieldName>Workstation</FieldName>
		</ITRTAlertField>
		<ITRTAlertField>
			<Suppression>0</Suppression>
			<Guid>{FB48EECF-1E40-451E-9519-FA339F0760F2}</Guid>
			<FieldValue>%_UsrName%</FieldValue>
			<FieldName>User Name</FieldName>
		</ITRTAlertField>
	</AlertFields>
</ITRTProcessingRule>

0 benybb over 3 years ago in reply to Igor.Ilyin

HI

Regarding :"Multiple failed logons by the same user with computer account filtering"

This new one send me still a lot of alerts with the "Computer Name" as Username - like those examples :

InTrust Major alert - There were 5 failed logons by user DOMAIN\MSTS-TAL1 from workstation MSTS-TAL1

Alert was generated on computer msts-tal1.DOMAIN.COM

InTrust Major alert - There were 5 failed logons by user DOMAIN\MSTS-LEV4 from workstation MSTS-LEV4

Alert was generated on computer msts-lev4.DOMAIN.COM
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

Reply

0 benybb over 3 years ago in reply to Igor.Ilyin

HI

Regarding :"Multiple failed logons by the same user with computer account filtering"

This new one send me still a lot of alerts with the "Computer Name" as Username - like those examples :

InTrust Major alert - There were 5 failed logons by user DOMAIN\MSTS-TAL1 from workstation MSTS-TAL1

Alert was generated on computer msts-tal1.DOMAIN.COM

InTrust Major alert - There were 5 failed logons by user DOMAIN\MSTS-LEV4 from workstation MSTS-LEV4

Alert was generated on computer msts-lev4.DOMAIN.COM
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

Children

0 Igor.Ilyin over 3 years ago in reply to benybb

I made a change in the function in all 5 rules, so please replace them all. If the problem still persists, I will ask you to provide specific events that trigger the alert.

FixRules.zip
Cancel
Up 0 Down

Reply

Verify Answer

Cancel