Filter Out computer name in some Rules

Hello,

I wish to filter out the computer name in some rules.

The rules makes False alerts with the computer name as user name.

How exactely can i do that ?

Thanks in advance 

*********

Rule (I) : Member added to an administrative group


Member DOMAIN\JCT_Level_1_Support added to group Builtin\Administrators by DOMAIN\ELEC-403-111$.

Alert was generated on computer ELEC-403-111.DOMAIN.COM.

***************
Rule (I) : Change Password Attempt on Administrative Account


There was administrative account password change attempt by DOMAIN\LAU106-54-90$ user. Target account: LAU106-54-90\admin.

Alert was generated on computer LAU106-54-90.DOMAIN.COM.

****************
Rule (A) : User Account enabled by unauthorized personnel


Account T-LEC-9205\Ladmin enabled by DOMAIN\T-LEC-9205$.

Alert was generated on computer t-lec-9205.DOMAIN.COM

****************
Rule (A) : Multiple failed logons by the same user


There were 5 failed logons by user ADMIN\SAFECOM-LEV-ADM$ from workstation SAFECOM-LEV-ADM.

Alert was generated on computer p-baruch.DOMAIN.COM.

  • Regarding "Multiple pre-authentication failures, with computer account filtering"

    Thank you for that !

     

    Is there a way to know: "On Which RDP TERMINAL SERVER" the user tried and failed to login ??

    Like in this real example, I cannot see which terminal server the user "bebaruch" tried  to connect to and failed : 

    I received on each alert (after 10 failed tries) 2 emails  : 

    First :

    InTrust Major alert - There were 5 pre-authentication failures by bebaruch user (IP: ::ffff:10.1.6.19) attempting to gain access to the krbtgt/domain service

    Alert was generated on computer dc-lev5.DOMAIN.COM

     (10.1.6.19 is a dc server named dc-lev1)

     

    Second : 

    InTrust Major alert - There were 5 pre-authentication failures by bebaruch user (IP: ::ffff:10.1.5.39) attempting to gain access to the krbtgt/domain service

    Alert was generated on computer dc-lev1.domain.com.

     (10.1.5.39 is the physical computer that the user tried to RDP FROM(origin) but not the terminal server where the login actually failed )

    Thanks In Advance

  • HI

    Regarding :"Multiple failed logons by the same user with computer account filtering"

    This new one send me still a lot of alerts with the "Computer Name" as Username - like those examples : 

    InTrust Major alert - There were 5 failed logons by user DOMAIN\MSTS-TAL1 from workstation MSTS-TAL1

    Alert was generated on computer msts-tal1.DOMAIN.COM

     

    InTrust Major alert - There were 5 failed logons by user DOMAIN\MSTS-LEV4 from workstation MSTS-LEV4

    Alert was generated on computer msts-lev4.DOMAIN.COM

  • To my understanding no, these 4771 events do not contain such info as terminal server IP or name.

  • I made a change in the function in all 5 rules, so please replace them all. If the problem still persists, I will ask you to provide specific events that trigger the alert.

    FixRules.zip