It didn't work.. Tnks anyway..
El jueves, 26 de julio de 2012 05:25:31 UTC-5, alsdks escribió: > > Hello, > > try this: > > <rule id="100001" level="0"> > <if_sid>18107</if_sid> > <match>Tipo de inicio de sesin: 5</match> > <description>Rule to mute Logon type 5</description> > </rule> > > Let me know if that helps > > Cheers > > On Wednesday, July 25, 2012 11:53:03 PM UTC+3, Andres Felipe Mejia Sanchez > wrote: >> >> Hi.. im trying to make a windows exception rule, but i excluded >> >> 1805 rule id >> 528 id >> it works! >> >> but i also need to exclud the logon type (5). Does any body knows how to >> exclude by logon type? >> >> ** Alert 1343249162.804628: - windows,authentication_success, 2012 Jul 25 >> 15:46:02 (amejia) 10.16.1.32->WinEvtLog Rule: 18107 (level 3) -> >> 'Windows Logon Success.' Src IP: (none) User: SERVICIO LOCAL WinEvtLog: >> Security: AUDIT_SUCCESS(528): Security: SERVICIO LOCAL: NT AUTHORITY: >> AMEJIA: Inicio de sesin realizado: Nombre de usuario: >> SERVICIO LOCAL Dominio: NT AUTHORITY Id. de >> inicio de sesin: (0x0,0x3E5) >> *Tipo de inicio de sesin: 5* Proceso de inicio de sesin: >> Advapi Paquete de autenticacin: Negotiate Nombre de >> estacin de >> trabajo: GUID de inicio de sesin: - >> >> >> >>
