1 of 1 people found this helpful
I have two thoughts:
First, it's possible that the machine that's "Detecting" the error is your Domain Controller, which hopefully doesn't have Active Response enabled. Perhaps you should try using UserLogonFailure.DestinationMachine for the agent?
Second, and a much simple possibility: Did you click the Activate Rules button after modifying, saving, and enabling the rule?
Hi Curtisi, thanks for your answer.
The machine im tryng to made the Windows active response is a windows 2008 server, its not configured as a Domain Controller or part of any domain at all ( its a standalone VM that i installed in a VMware as a part of a demo). I installed the Windows agent as you can see next:
The rule its not fired at all, but manually i can shutdown the machine in the monitor option. The config of the rule is this:
The field destination machine has the name of the agent as i see. In the monitor events i dond see the ruled fired at all, so my suspect is about the rule behavior, not the active response. I did enable the activate rule after the modification, and test after that.
Thanks for your help!
If you go to EXPLORE --> nDEPTH, and search for events matching the rule correlation, what do you get? What do these events have in the Destination Machine field? Does it all look correct?
When you say you don't see the rule firing, you're not seeing events in the Rule Activity filter? If you do an nDepth search for InternalRuleFired where the EventInfo contains *NAMEOFRULE*, do you get any results at all in the last few days?