-
Title
How do I add exclusion filter to a real-time rule 'Member added to administrative group' ? -
Description
This article describes how to modify built-in real-time monitoring rule 'Member added to administrative group' so that it will not send alerts if specified users triggered the alert.
After text of the rule is updated new filter 'Authorized Users' will appear in the 'Macthing' tab. Add users who you don't want to trigger the alerts.
-
Cause
The built-in Intrust real-time monitoring rule 'Member added to administrative group' does not have exclusion filters.
-
Resolution
Open properties of the rule 'Member added to administrative group', go to 'Matching>Advanced' and replace current text content of the rule with the one provided in the 'Additional Information' field of this article
Additional Information:
<rule type="REL" version="1.0">
<arguments>
<argument displayname="Group List" name="Group List" class="List" description="A list of administrative groups in an organization">
<value>"Administrators", "Domain Admins", "Enterprise Admins", "Schema Admins", "Account Operators", "Backup Operators", "Server Operators"</value>
</argument><argument displayname="Authorized users" name="Authorized users" class="List" description="A list of users who are allowed to add members to administrative groups in an organization">
<value>"domain\\username"</value>
</argument></arguments>
<prefilter>((EventID = 632 or EventID = 636 or EventID = 660) and striequ( Source, "security" ))
or
(EventID = 4728 or EventID = 4732 or EventID = 4756);</prefilter>
<body>def common(OperatorDomain, OperatorName, TargetDomain, TargetName, MemAccount) :=
{
in( TargetName, "wi", array(<parameter name="Group List"/>) )
and not in( strcat(OperatorDomain, "\\", OperatorName), "wi", array(<parameter name="Authorized users"/>) )
and set_alert_field("OperatorName", OperatorName, true)
and set_alert_field("OperatorDomain", OperatorDomain, true)
and set_alert_field("TargetName", TargetName, true)
and set_alert_field("TargetDomain", TargetDomain, true)
and set_alert_field("MemAccount", MemAccount, true)
}
(
(EventID = 632 or EventID = 636 or EventID = 660)
and striequ( Source, "security" )
and common(String7, String6, String4, String3, strcat(String11, "\\", String10))
)
or
(
(EventID = 4728 or EventID = 4732 or EventID = 4756)
and common(String8, String7, String4, String3, String12)
);</body>
</rule>