Hello I would like to filter the following email out which I copied below. I
also attached a custom rules that I created and doesn't seem to be filtering
all the emails out. I actually created 4 rules because there are 4 user
accounts that I want to filter, mnesx1$, mnesx2$, mnesx3$ and mnesx4. Any
assistance on what I am doing wrong would be greatly appreciated.
Thanks.
WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY:
LOMBARDO: Pre-authentication failed: User Name: MNESX2$ User ID:
%{S-1-5-21-1995130590-1722771374-355810188-11844} Service Name:
krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0
Failure Code: 0x19 Client Address: 10.0.0.112
WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY:
LOMBARDO: Pre-authentication failed: User Name: MNESX2$ User ID:
%{S-1-5-21-1995130590-1722771374-355810188-11844} Service Name:
krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0
Failure Code: 0x19 Client Address: 10.0.0.112
WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY:
LOMBARDO: Pre-authentication failed: User Name: _Varonis User ID:
%{S-1-5-21-1995130590-1722771374-355810188-12480} Service Name:
krbtgt/northlandgroup.com Pre-Authentication Type: 0x0
Failure Code: 0x19 Client Address: 10.0.0.106
WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: MNDC2:
Pre-authentication failed: User Name: MNESX4$ User ID:
%{S-1-5-21-1995130590-1722771374-355810188-11842} Service Name:
krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0
Failure Code: 0x19 Client Address: 10.0.0.114
WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: MNDC2:
Pre-authentication failed: User Name: MNESX4$ User ID:
%{S-1-5-21-1995130590-1722771374-355810188-11842} Service Name:
krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0
Failure Code: 0x19 Client Address: 10.0.0.114
WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY:
LOMBARDO: Pre-authentication failed: User Name: MNESX2$ User ID:
%{S-1-5-21-1995130590-1722771374-355810188-11844} Service Name:
krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0
Failure Code: 0x19 Client Address: 10.0.0.112
Chad Hammond
Systems Administrator
Northland Group
7831 Glenroy Rd
Edina MN 55439
Direct: 952-837-0625
________________________________
THIS MESSAGE, INCLUDING ANY ATTACHMENTS, IS CONFIDENTIAL AND PROPRIETARY, AND
MAY CONTAIN PRIVILEGED INFORMATION. IF YOU HAVE RECEIVED THIS TRANSMISSION IN
ERROR, PLEASE NOTIFY THE SENDER BY RETURN E-MAIL AND DELETE THIS MESSAGE FROM
YOUR SYSTEM. ANY UNAUTHORIZED USE OF THIS MESSAGE, IN WHOLE OR IN PART, IS
STRICTLY PROHIBITED. PLEASE NOTE THAT EMAILS ARE SUSCEPTIBLE TO TAMPERING.
NORTHLAND GROUP, INC. SHALL NOT BE LIABLE FOR THE IMPROPER OR INCOMPLETE
TRANSMISSION OF THE INFORMATION CONTAINED IN THIS COMMUNICATION, NOR FOR ANY
DELAY IN ITS RECEIPT OR DAMAGE TO YOUR SYSTEM. NORTHLAND GROUP, INC. DOES NOT
GUARANTEE THAT THE INTEGRITY OF THIS COMMUNICATION HAS BEEN MAINTAINED, NOR
THAT THIS COMMUNICATION IS FREE FROM VIRUSES, INTERCEPTIONS OR INTERFERENCE
<group name="local">
<rule id="100101" level="0">
<if_sid>18152</if_sid>
<match>Pre-authentication failed: User Name: MNESX1$ </match>
<description>Events ignored</description>
</rule>
</group>
<group name="local">
<rule id="100102" level="0">
<if_sid>18152</if_sid>
<match>Pre-authentication failed: User Name: MNESX2$ </match>
<description>Events ignored</description>
</rule>
</group>
<group name="local">
<rule id="100103" level="0">
<if_sid>18152</if_sid>
<match>Pre-authentication failed: User Name: MNESX3$ </match>
<description>Events ignored</description>
</rule>
</group>
<group name="local">
<rule id="100104" level="0">
<if_sid>18152</if_sid>
<match>Pre-authentication failed: User Name: MNESX4$ </match>
<description>Events ignored</description>
</rule>
</group>
