Thanks for the example! I implemented and will see if it catches next time the event fires.
Thanks again! On Wednesday, November 7, 2012 2:55:38 PM UTC-5, Michael Starks wrote: > > On 06.11.2012 14:45, brandall wrote: > > This is a stretch being that this appears to be dead, but any luck > > with it? I'm attempting to do the something very similar. Wish to > > disregard failed logons of a specific user. > > Try something like this: > > <rule id="10001" level="11"> > <if_group>win_authentication_failed</if_group> > <user>lalala</user> > <description>Ignore logon failures from lalala</description> > <options>no_email_alert</options> > <group>authentication_failures,</group> > </rule> > > If the user doesn't get decoded, or is SYSTEM (which I think always > happens with auth failures), use <match> instead. > >
