This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Want to create a custom rule for failed logon of specific accounts with thresholds

For example one of the default rules are "Multiple failed logons" with matching parameters of a number threshold and time period. I'd like to add an additional parameter of a specific user account or group of accounts. 

 

I can't figure out how to add this to the XML of the rule so that it will match all criteria. If anyone has the XML syntax for this type of rule that would be helpful.

 

Thanks. 

Parents
  • Thanks Igor, very detailed instructions. I believe I followed them correctly but I don't seem to get any hits on this rule. Can you provide the full xml text for me too? Thanks again.
Reply
  • Thanks Igor, very detailed instructions. I believe I followed them correctly but I don't seem to get any hits on this rule. Can you provide the full xml text for me too? Thanks again.
Children
No Data