I have a correlation rule I've written to detect failed logins from MAD,
which is working great. The only issue I have is it is firing for
workstation failed attempts as well, and although I want those logged, i
would prefer not to have the correlation rule fire. Is there a way to
exclude anything with $ in the Initiator or Target Usernames so I don't
get bombarded with alerts for those? Based on my testing, a wildcard
won't work at the start of a filter string for either of those fields,
so I'm hoping someone has found a nice workaround.

Thanks in advance for any insight or help!!


jkinney's Profile: https://forums.netiq.com/member.php?userid=296
View this thread: https://forums.netiq.com/showthread.php?t=47001