• State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 14 subscribers
  • Views 6088 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Want to create a custom rule for failed logon of specific accounts with thresholds

duran
over 6 years ago

For example one of the default rules are "Multiple failed logons" with matching parameters of a number threshold and time period. I'd like to add an additional parameter of a specific user account or group of accounts. 

 

I can't figure out how to add this to the XML of the rule so that it will match all criteria. If anyone has the XML syntax for this type of rule that would be helpful.

 

Thanks. 

Parents
  • 0 over 6 years ago
    I remove the old unnecessary 529 part from the rule, the following text contains only 4625 part. Copy and paste this text in Advanced rule editor. Also please check if the target computer (agent) security log contains 4625 events indeed.

    <rule type="REL" version="1.0">
    <arguments>
    <argument displayname="Time period" name="Time period" description="Time period in which the events occurred." class="DateTimeRange">
    <value>"00:01:00"</value>
    </argument>
    <argument displayname="Threshold" name="Threshold" description="Events threshold." class="Number">
    <value>2</value>
    </argument>
    <argument displayname="Target Groups" name="Target_Groups" class="List" description="A list of target groups, e.g. Administrators">
    <value>"Administrators", "Domain Admins", "Account Operators"</value>
    </argument>
    <argument displayname="Target Users" name="Target_Users" class="List" description="A list of target user accounts, e.g. ACME\Dummy">
    <value>"ACME\\Dummy"</value>
    </argument>
    </arguments>
    <prefilter>

    EventID = 4625;

    </prefilter>
    <body>

    count(select_filtered(
    Z.EventID = 4625 and ( striequ(Z.String8, "0xc000006d") and striequ(Z.String10, "0xc0000064") or
    striequ(Z.String8, "0xc000006d") and striequ(Z.String10, "0xc000006a") ),
    striequ( Z.String6, String6 ) and striequ( Z.String7, String7 ),
    <parameter name="Time period"></parameter> ))
    &gt;= <parameter name="Threshold"></parameter>

    and empty(select_matches(
    striequ( Z[0].String6, String6 ) and striequ( Z[0].String7, String7 ),
    <parameter name="Time period"></parameter>
    ))
    and (
    member_of( strcat( String7, "\\", String6 ), array(<parameter name="Target_Groups"/>), true )
    or
    in( strcat( String7, "\\", String6 ), "wi", array(<parameter name="Target_Users"/>) )
    )

    and set_alert_field("_UsrName", String6, true)
    and set_alert_field("_UsrDomain", String7, true)
    and set_alert_field("_WorkStation", String14, true);

    </body>
    </rule>
Reply
  • 0 over 6 years ago
    I remove the old unnecessary 529 part from the rule, the following text contains only 4625 part. Copy and paste this text in Advanced rule editor. Also please check if the target computer (agent) security log contains 4625 events indeed.

    <rule type="REL" version="1.0">
    <arguments>
    <argument displayname="Time period" name="Time period" description="Time period in which the events occurred." class="DateTimeRange">
    <value>"00:01:00"</value>
    </argument>
    <argument displayname="Threshold" name="Threshold" description="Events threshold." class="Number">
    <value>2</value>
    </argument>
    <argument displayname="Target Groups" name="Target_Groups" class="List" description="A list of target groups, e.g. Administrators">
    <value>"Administrators", "Domain Admins", "Account Operators"</value>
    </argument>
    <argument displayname="Target Users" name="Target_Users" class="List" description="A list of target user accounts, e.g. ACME\Dummy">
    <value>"ACME\\Dummy"</value>
    </argument>
    </arguments>
    <prefilter>

    EventID = 4625;

    </prefilter>
    <body>

    count(select_filtered(
    Z.EventID = 4625 and ( striequ(Z.String8, "0xc000006d") and striequ(Z.String10, "0xc0000064") or
    striequ(Z.String8, "0xc000006d") and striequ(Z.String10, "0xc000006a") ),
    striequ( Z.String6, String6 ) and striequ( Z.String7, String7 ),
    <parameter name="Time period"></parameter> ))
    &gt;= <parameter name="Threshold"></parameter>

    and empty(select_matches(
    striequ( Z[0].String6, String6 ) and striequ( Z[0].String7, String7 ),
    <parameter name="Time period"></parameter>
    ))
    and (
    member_of( strcat( String7, "\\", String6 ), array(<parameter name="Target_Groups"/>), true )
    or
    in( strcat( String7, "\\", String6 ), "wi", array(<parameter name="Target_Users"/>) )
    )

    and set_alert_field("_UsrName", String6, true)
    and set_alert_field("_UsrDomain", String7, true)
    and set_alert_field("_WorkStation", String14, true);

    </body>
    </rule>
Children
No Data