Maybe revise the rule criteria. Try filtering on a customer parameter called "EventDescription".
For example EventDescription does not contain "XXX"
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hello,
I need help with one issue. I want to suppress alert bases on alert description. There is an alert coming for Repeated login attempt. When checking the alert description we can see there different types of account associated. I just want to suppress the alert which is coming for a particular account. like if we are getting four alerts for this. Once Alert is having Alert Description as
Description: Security Monitoring: Repeated logon attempts
Account Domain: abc
Source: XXXXXXXXXXXXXXXXXXXXX
and similar way other alerts are coming where the account name is different.
I just want to suppress the alert with account domain abc. Can it be done?
Please help me on this.
Regards,
Ravi
Maybe revise the rule criteria. Try filtering on a customer parameter called "EventDescription".
For example EventDescription does not contain "XXX"
Hi,
as you are alerting on Events (at least I assume so) you should also be able to configure alert supression, based on the positional parametere within the event. Let's say that the Source field is actually Parameter 2, then you can go ahead and supress based on what value lies within Parameter 2:
Please go through thiss:
Using a Generic Text Log rule to monitor an ASCII text file – even when the file is a UNC path
Some other very helpful references:
How to query for the Windows event XML data values in SCOM
Using Event Description as criteria for a rule
Hope that helps!
(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)
Regards
Stoyan Chalakov