• State Suggested Answer
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 15 subscribers
  • Views 4892 views
  • Users 0 members are here
Options
Related

InTrust alerting on logon for "non primary" user account?

naskoff
over 4 years ago

Has anyone been successful, or have any ideas, on setting up a monitoring alert that would go off when a domain user logs onto a computer that is not their "primary computer"? Like let's say we name the computer "IT-FSMITH". If someone other than the user account "fsmith" logs on, alert. Is this doable, maybe via XML?

  • 0 over 4 years ago

    Hi,

    It highly depends on the specifics of your environment. If your computer names are indeed containing user names that would be easy to do, also if you are ready to provide the list of pairs computer name / user name we can create a rule which will accept those. If you have AD attributes filled like managedBy that would require custom development cause it is not available out of the box. So please provide more exact info on how this "primary computer" is defined in your environment.

    Thanks

  • 0 over 4 years ago in reply to Igor.Ilyin

    Thanks for your reply. Here are some examples:

    ACCT-DWAGNER - Derek Wagner (dwagner)

    IT-MKELLY1 - Matt Kelly (mkelly)

    LGL-AKARAKOV - Alex Karakov (akarakov)

    IT-LP-FMAGNES - Frank Magnes (fmagnes)

    So as you can see, each of the above names are a little different, but they all contain the SAMACCOUNTNAME from active directory (which is in parentheses).

  • 0 over 4 years ago in reply to naskoff

    Ok,

    Let's start from the rule in the attachment, try it. Maybe you know we have InTrust User Session Tracking events that were designed specifically for these purposes, so I'm sure this data source is the right one in your case.
    Download the xml to InTrust server machine, open InTrust Manager, navigate to Root | Real-Time Monitoring | Rules | Windows/AD Security, right click, Import, and choose the xml file. Then create policy and send the rule to your site as usual. Don't forget to enable e-mail notification in the policy. Commit all changes.
    The rule triggers if sAMAccountName is not contained in ComputerName. I think the condition might be more complex (what if you have Matt Kelly and Margaret Kelly?), but let's get your feedback on this simple rule first.

    User session was started on non-primary computer.xml 
    <?xml version="1.0" encoding="utf-8" ?>

<!--
==============================================================================

Copyright 2019 Quest Software Inc. ALL RIGHTS RESERVED.

$Workfile: User session was started on non-primary computer.xml $
$Revision: 0 $
$Modtime: 6/28/2019 10:03:15 AM $

==============================================================================
THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
==============================================================================
-->

<ITRTProcessingRule original_parent="\Configuration\Objects\{F81E88B8-5629-4698-AEB7-38731A4B1520}\RuleGroups\{E9BD74C6-A7D7-42D1-82CC-D75758F2FE4D}\Rules">
	<LimitEventsCount>10</LimitEventsCount>
	<SuppressBySeverity>0</SuppressBySeverity>
	<Description></Description>
	<GenerateAlert>1</GenerateAlert>
	<AlertInitialState>0</AlertInitialState>
	<Name>User session was started on non-primary computer</Name>
	<Guid>{AF115981-538D-459D-94E1-55A648B05AA2}</Guid>
	<MatchCondition>010000008A0100003C00720075006C006500200074007900700065003D002200520045004C0022002000760065007200730069006F006E003D00220031002E00300022003E000D000A00200020003C0061007200670075006D0065006E00740073003E000D000A00200020003C002F0061007200670075006D0065006E00740073003E000D000A00200020003C00700072006500660069006C007400650072003E000D000A00200020002000200069006E005F00720061006E0067006500280020004500760065006E007400490044002C00200022003100300031002C0020003100300034002C0020003100300035002C0020003100300037002C0020003100310031002C0020003100330031002200200029003B000D000A00200020003C002F00700072006500660069006C007400650072003E000D000A00200020003C0062006F00640079003E000D000A00200020002000200069006E005F00720061006E0067006500280020004500760065006E007400490044002C00200022003100300031002C0020003100300034002C0020003100300035002C0020003100300037002C0020003100310031002C0020003100330031002200200029000D000A00200020002000200061006E0064002000280073007400720073007400720028007300740072006C007700720028005F0048006F00730074004E0061006D00650029002C007300740072006C0077007200280053007400720069006E00670031002900290020003D0020002D00310029000D000A00200020002000200061006E00640020007300650074005F0061006C006500720074005F006600690065006C00640028002200730061006E0022002C00200053007400720069006E00670031002C002000740072007500650029000D000A00200020002000200061006E00640020007300650074005F0061006C006500720074005F006600690065006C0064002800220077006E0022002C0020005F0048006F00730074004E0061006D0065002C002000740072007500650029003B000D000A00200020003C002F0062006F00640079003E000D000A003C002F00720075006C0065003E000D000A00</MatchCondition>
	<AlertSeverity>48</AlertSeverity>
	<Enabled>1</Enabled>
	<SuppressByAlertCode>0</SuppressByAlertCode>
	<Schedule>FFFFFF00FFFFFF00FFFFFF00FFFFFF00FFFFFF00FFFFFF00FFFFFF00</Schedule>
	<VendorKnowledgeBase></VendorKnowledgeBase>
	<ConditionType>{E00EE0F1-B3DF-4122-89B4-738EF5EC1C52}</ConditionType>
	<SuppressByName>0</SuppressByName>
	<AlertSuppression>0</AlertSuppression>
	<CustomerKnowledgeBase></CustomerKnowledgeBase>
	<Distribution></Distribution>
	<AlertName>User session was started by %SamAccountName% on non-primary computer %WorkstationName%</AlertName>
	<SuppressByRuleID>0</SuppressByRuleID>
	<DoNotSaveEvents>0</DoNotSaveEvents>
	<SuppressByHostName>0</SuppressByHostName>
	<Condition></Condition>
	<AlertComment></AlertComment>
	<FilterCondition>0100000000000000</FilterCondition>
	<AlertDescription></AlertDescription>
	<ScheduleEnabled>0</ScheduleEnabled>
	<SuppressBySiteID>0</SuppressBySiteID>
	<AlertAssignment></AlertAssignment>
	<RuleDistribution>0</RuleDistribution>
	<AlertCode>QS_AD_SEC_0144</AlertCode>
	
	<NotificationFormats>
		<ITRTNotificationFormat>
			<Guid>{08B8A7D5-D1F1-4CE8-B22B-868C8E28C42B}</Guid>
			<ComposerTemplate>01000000F834885B1C14B949960CC37CE508B1D02200000049006E005400720075007300740020002500530065007600650072006900740079002500200061006C0065007200740020002D00200025004E0061006D00650025002E00050000007500740066002D003800F600000025004400650073006300720069007000740069006F006E0025000D000A000D000A0041006C0065007200740020007700610073002000670065006E0065007200610074006500640020006F006E00200063006F006D00700075007400650072002000250048006F00730074004E0061006D00650025002E000D000A0041006C0065007200740020007700610073002000670065006E006500720061007400650064002000610074002000250041006C006500720074002E00540069006D006500470065006E006500720061007400650064004C006F00630061006C00250020002800250041006C006500720074002E00540069006D006500470065006E006500720061007400650064002500200047004D00540029002E000D000A000D000A0046006F007200200061006C00650072007400200069006E0066006F0072006D006100740069006F006E002C00200066006F006C006C006F007700200074006800650020006C0069006E006B00200074006F0020004D006F006E00690074006F00720069006E006700200043006F006E0073006F006C0065003A00200025006F007200670070006100720061006D003A005700450042004D004F004E00490054004F005200550052004C002500250061006C006500720074002E0061006C006500720074006900640025002E00</ComposerTemplate>
			<ComposerId>{C40DBB2E-DF56-43AC-8392-EFB2D0DDCC5A}</ComposerId>
			<Enabled>1</Enabled>
			<NotificationType>{E01E93C2-938C-4BBD-88D9-0FD3B0E631E4}</NotificationType>
			
		</ITRTNotificationFormat>
	</NotificationFormats>
	<DataSources>
		<ITRTRuleDataSource>
			<Guid>{12EA527E-BD93-481A-92A1-4BC500CC69C6}</Guid>
			<DataSourceId>{F7CDC04E-E96E-4A26-AEB3-A7D1440B602A}</DataSourceId>
			
		</ITRTRuleDataSource>
	</DataSources>
	<AlertFields>
		<ITRTAlertField>
			<Suppression>0</Suppression>
			<Guid>{3BE871CE-2A0F-4E16-A2E1-388A9497B1DE}</Guid>
			<FieldValue>%wn%</FieldValue>
			<FieldName>WorkstationName</FieldName>
			
		</ITRTAlertField>
		<ITRTAlertField>
			<Suppression>0</Suppression>
			<Guid>{C38829AA-CD51-4715-8723-C130A14C4985}</Guid>
			<FieldValue>%san%</FieldValue>
			<FieldName>SamAccountName</FieldName>
			
		</ITRTAlertField>
	</AlertFields>
</ITRTProcessingRule>

  • 0 over 3 years ago in reply to Igor.Ilyin

    Hi Igor!

    It doesn't seem to work for me - sadly ...

    Our computers name are syntax like this : " P-%username%"

    Example P-benybb

    I import and activate the XML rule above.

    I did the following test :  Tried to rdp login with the username "bar" to the computer named  "P-benybb"

    Logon success and no alerts.

    What can it be ?

    Thanks in advance

  • 0 over 3 years ago in reply to benybb

    Hi benybb,

    Sorry for delay. Well, the rule still works for me, I have retested it. The reason why it does not work for you may reside in how do you configure the rule / policy / site in the InTrust Manager. My guess is the rule did not reach your agent. Please go to the computer "P-benybb" and examine the InTrust agent's installation folder ("C:\Windows\ADCAgent" by default). In this folder go to DATA folder, then TASKS folder, then to a folder with some GUID name that contains CFG folder (the guids may differ), and inside find the file that corresponds to the "User session was started on non-primary computer" rule, like on the screen below. If such a file cannot be found, then double check your configuration in the InTrust Manager to instruct InTrust to send the rule to the agent. The site should (directly or indirectly) contain "P-benybb" computer, and the real-time monitoring policy should bind the site, the rule and the e-mail notification recipient.


  • 0 over 3 years ago in reply to Igor.Ilyin

    Thank you for the response, Igor.

    I fixed it the way you said and now the rule does appear in the CFG folder.

    It worked like a charm!

    Thank you very much