Hi list.
I've submitted enhancements request containing the following:
Logon_with_admin_privileges signature is VERY useful, but now it can't
be used, because it's triggered for system accounts (machine_name$) as
well. In many cases it's this event is not interesting for system
accounts, but they can't be filtered because SS can't filter events. I
understand that to teaching SS to filter events is may needs great
development, so I propose to make to different signatures for USER
accounts logons with admin privileges and for SYSTEM accounts logon.
Now because of VERY great number of Logon_with_admin_privileges (so it's
impossible to find something in that events) I have to switch it off.
And receive a very interesting answer - that I have to create validation
script on TCL... and if I can't do this by myself ISS could provide me
with the script at the price of one day consulting. Thinking in this way
we can make a conclusion that because EVERY Windows eventlog event and
EVERY text log event can be made by hands, there is no necessity for ISS
to provide these events at all :-)
So, dear list, maybe someone already solved described problem and
already has such validation script for server sensor?
Thank you.
---
Best regards, Sergey V. Soldatov.
Information security department.
tel/fax +7 095 745 89 50
tel +7 095 777 77 07 (1613)
_______________________________________________
ISSForum mailing list
ISSForum@iss.net
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to mod-issforum@iss.net
The ISSForum mailing list is hosted and managed by Internet Security Systems,
6303 Barfield Road, Atlanta, Georgia, USA 30328.
