For example one of the default rules are "Multiple failed logons" with matching parameters of a number threshold and time period. I'd like to add an additional parameter of a specific user account or group of accounts.
I can't figure out how to add this to the XML of the rule so that it will match all criteria. If anyone has the XML syntax for this type of rule that would be helpful.
Thanks.
Hi duran,
Create the copy of the "Multiple failed logons" rule, let's say "My multiple failed logons"
On the Matching tab of the rule under Advanced button change the rule in the following way.
Add bold arguments in the Arguments section:
<argument displayname="Threshold" name="Threshold" description="Events threshold." class="Number">
<value>2</value>
</argument>
<argument displayname="Target Groups" name="Target_Groups" class="List" description="A list of target groups, e.g. Administrators">
<value>"Administrators", "Domain Admins", "Account Operators"</value>
</argument>
<argument displayname="Target Users" name="Target_Users" class="List" description="A list of target user accounts, e.g. ACME\Dummy">
<value>"ACME\\Dummy"</value>
</argument>
</arguments>
Add bold conditions in the rule body section (in the 4625 part):
<parameter name="Time period"></parameter>
))
and (
member_of( strcat( String7, "\\", String6 ), array(<parameter name="Target_Groups"/>), true )
or
in( strcat( String7, "\\", String6 ), "wi", array(<parameter name="Target_Users"/>) )
)
and set_alert_field("_UsrName", String6, true)
This means that the rule will check either account is in your account list or is a member of your group list.
After that fill arguments with the list of groups and accounts you want as targets, add "My multiple failed logons" to active monitoring policy and commit the whole configuration.
Ask for the full rule xml text if you need.
Hi duran,
Create the copy of the "Multiple failed logons" rule, let's say "My multiple failed logons"
On the Matching tab of the rule under Advanced button change the rule in the following way.
Add bold arguments in the Arguments section:
<argument displayname="Threshold" name="Threshold" description="Events threshold." class="Number">
<value>2</value>
</argument>
<argument displayname="Target Groups" name="Target_Groups" class="List" description="A list of target groups, e.g. Administrators">
<value>"Administrators", "Domain Admins", "Account Operators"</value>
</argument>
<argument displayname="Target Users" name="Target_Users" class="List" description="A list of target user accounts, e.g. ACME\Dummy">
<value>"ACME\\Dummy"</value>
</argument>
</arguments>
Add bold conditions in the rule body section (in the 4625 part):
<parameter name="Time period"></parameter>
))
and (
member_of( strcat( String7, "\\", String6 ), array(<parameter name="Target_Groups"/>), true )
or
in( strcat( String7, "\\", String6 ), "wi", array(<parameter name="Target_Users"/>) )
)
and set_alert_field("_UsrName", String6, true)
This means that the rule will check either account is in your account list or is a member of your group list.
After that fill arguments with the list of groups and accounts you want as targets, add "My multiple failed logons" to active monitoring policy and commit the whole configuration.
Ask for the full rule xml text if you need.
