Want to create a custom rule for failed logon of specific accounts with thresholds

For example one of the default rules are "Multiple failed logons" with matching parameters of a number threshold and time period. I'd like to add an additional parameter of a specific user account or group of accounts. 

 

I can't figure out how to add this to the XML of the rule so that it will match all criteria. If anyone has the XML syntax for this type of rule that would be helpful.

 

Thanks. 

  • Hi duran,

    Create the copy of the "Multiple failed logons" rule, let's say "My multiple failed logons"

    On the Matching tab of the rule under Advanced button change the rule in the following way.

    Add bold arguments in the Arguments section:

    <argument displayname="Threshold" name="Threshold" description="Events threshold." class="Number">

    <value>2</value>

    </argument>

    <argument displayname="Target Groups" name="Target_Groups" class="List" description="A list of target groups, e.g. Administrators">

    <value>"Administrators", "Domain Admins", "Account Operators"</value>

    </argument>

    <argument displayname="Target Users" name="Target_Users" class="List" description="A list of target user accounts, e.g. ACME\Dummy">

    <value>"ACME\\Dummy"</value>

    </argument>

    </arguments>

    Add bold conditions in the rule body section (in the 4625 part):

    <parameter name="Time period"></parameter>
    ))
    and (

    member_of( strcat( String7, "\\", String6 ), array(<parameter name="Target_Groups"/>), true )

    or

    in( strcat( String7, "\\", String6 ), "wi", array(<parameter name="Target_Users"/>) )

    )

    and set_alert_field("_UsrName", String6, true)

    This means that the rule will check either account is in your account list or is a member of your group list.

    After that fill arguments with the list of groups and accounts you want as targets, add "My multiple failed logons" to active monitoring policy and commit the whole configuration.

    Ask for the full rule xml text if you need.

  • In reply to Igor.Ilyin:

    Thanks Igor, very detailed instructions. I believe I followed them correctly but I don't seem to get any hits on this rule. Can you provide the full xml text for me too? Thanks again.
  • In reply to duran:

    I remove the old unnecessary 529 part from the rule, the following text contains only 4625 part. Copy and paste this text in Advanced rule editor. Also please check if the target computer (agent) security log contains 4625 events indeed.

    <rule type="REL" version="1.0">
    <arguments>
    <argument displayname="Time period" name="Time period" description="Time period in which the events occurred." class="DateTimeRange">
    <value>"00:01:00"</value>
    </argument>
    <argument displayname="Threshold" name="Threshold" description="Events threshold." class="Number">
    <value>2</value>
    </argument>
    <argument displayname="Target Groups" name="Target_Groups" class="List" description="A list of target groups, e.g. Administrators">
    <value>"Administrators", "Domain Admins", "Account Operators"</value>
    </argument>
    <argument displayname="Target Users" name="Target_Users" class="List" description="A list of target user accounts, e.g. ACME\Dummy">
    <value>"ACME\\Dummy"</value>
    </argument>
    </arguments>
    <prefilter>

    EventID = 4625;

    </prefilter>
    <body>

    count(select_filtered(
    Z.EventID = 4625 and ( striequ(Z.String8, "0xc000006d") and striequ(Z.String10, "0xc0000064") or
    striequ(Z.String8, "0xc000006d") and striequ(Z.String10, "0xc000006a") ),
    striequ( Z.String6, String6 ) and striequ( Z.String7, String7 ),
    <parameter name="Time period"></parameter> ))
    &gt;= <parameter name="Threshold"></parameter>

    and empty(select_matches(
    striequ( Z[0].String6, String6 ) and striequ( Z[0].String7, String7 ),
    <parameter name="Time period"></parameter>
    ))
    and (
    member_of( strcat( String7, "\\", String6 ), array(<parameter name="Target_Groups"/>), true )
    or
    in( strcat( String7, "\\", String6 ), "wi", array(<parameter name="Target_Users"/>) )
    )

    and set_alert_field("_UsrName", String6, true)
    and set_alert_field("_UsrDomain", String7, true)
    and set_alert_field("_WorkStation", String14, true);

    </body>
    </rule>