Failed logon with specific failure reason

Hello

We have 2 Domains in our organization and sometime by mistake some users of the second domain (applications usualy) -

Of course their logons failed , because they are from another domains..

Is there any option to make an Expection to the whole domain in this rule (Matching Parameters) ? (Failed logon with specific failure reason(Misspelled or Disabled ))

Something like "DOMAIN\*"

Thanks in advance

Top Replies

Igor.Ilyin over 3 years ago +1 verified

Hi Benybb, as far as I understand, we're talking about the custom rule from the forum item https://www.quest.com/community/intrust/f/forum/30858/alert-for-attempt-to-use-disable-or-nonexistent-use…

+1 Igor.Ilyin over 3 years ago

Hi Benybb, as far as I understand, we're talking about the custom rule from the forum item https://www.quest.com/community/intrust/f/forum/30858/alert-for-attempt-to-use-disable-or-nonexistent-user . I will give you a couple of possible additions to the rule text, but you have to add them manually, because I don't know the current state of this rule in your environment. So, open the rule properties in InTrust Manager and click Advanced button on the Matching tab. Inside arguments section, add a new argument:
<argument displayname="Target Domains" name="Target_Domains" class="List" description="A list of target domains to monitor.">
<value>"YOURDOMAIN"</value>
</argument>
And down in the list of conditions add the following line (not in the beginning and not in the end, but in the middle):
and in(String7, "wi", array(<parameter name="Target_Domains"/>))
This will implement the domain including filter.

If your intention is excluding filter, then change to negative:
<argument displayname="Exclude Domains" name="Exclude_Domains" class="List" description="A list of domains to exclude from monitoring.">
<value>"OTHERDOMAIN"</value>
</argument>
...
and not(in(String7, "wi", array(<parameter name="Exclude_Domains"/>)))
Cancel
Up +1 Down

Reply

Verify Answer

Reject Answer

Cancel