This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 2%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERB%3C/text%3E%3C/svg%3E)
Hello,
I need help with one issue. I want to suppress alert bases on alert description. There is an alert coming for Repeated login attempt. When checking the alert description we can see there different types of account associated. I just want to suppress the alert which is coming for a particular account. like if we are getting four alerts for this. Once Alert is having Alert Description as
Description: Security Monitoring: Repeated logon attempts
Account Domain: abc
Source: XXXXXXXXXXXXXXXXXXXXX
and similar way other alerts are coming where the account name is different.
I just want to suppress the alert with account domain abc. Can it be done?
Please help me on this.
Regards,
Ravi
Maybe revise the rule criteria. Try filtering on a customer parameter called "EventDescription".
For example EventDescription does not contain "XXX"
Below is the Alert Description and i want to suppress for account domain ABC(inline code):-
The following has occurred 10 times:
Event Description: An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: XXXXXXXX
`Account Domain: ABC`
Failure Information:
Failure Reason: %%2313
Status: 0xffffffffc000006d
Sub Status: 0xffffffffc0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: ###########
Source Network Address: #########
Source Port: ######
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
Also below is the Event Description. Can you please suggest:-
The following has occurred $Data/Count$ times:
Event Description: $Data/Context/DataItem/EventDescription$
Hi,
as you are alerting on Events (at least I assume so) you should also be able to configure alert supression, based on the positional parametere within the event. Let's say that the Source field is actually Parameter 2, then you can go ahead and supress based on what value lies within Parameter 2:
Please go through thiss:
Using a Generic Text Log rule to monitor an ASCII text file – even when the file is a UNC path
Some other very helpful references:
How to query for the Windows event XML data values in SCOM
Using Event Description as criteria for a rule
Hope that helps!
(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)
Regards
Stoyan Chalakov