On 06.11.2012 14:45, brandall wrote:
This is a stretch being that this appears to be dead, but any luck
with it? I'm attempting to do the something very similar. Wish to
disregard failed logons of a specific user.
Try something like this:
<rule id="10001" level="11">
<if_group>win_authentication_failed</if_group>
<user>lalala</user>
<description>Ignore logon failures from lalala</description>
<options>no_email_alert</options>
<group>authentication_failures,</group>
</rule>
If the user doesn't get decoded, or is SYSTEM (which I think always
happens with auth failures), use <match> instead.
