Hi John, Maybe you could try using exceptions, use the following example to find out if it works for you. Off course, you need to find the key for logins (not Restricted Application Executed as in the example) and found the exact string number that contains the type of login (administrator rights in this case) in the Windows's log.
Hope it will be helpful. Italo Tapia Chile All log events for the preceding events types will fire for all associated events. In some cases firing of these events are not wanted, for example an administrative user launching a management application. If the auditing is set for Everyone this will write and event to the logs and subsequently fire an event. To alleviate unwanted alerts exceptions can be implemented at the sensor level to 1.) Keep the event from cluttering the Site Protector console and 2.) keep the event from being written to the Site Protector DB. Exceptions are created in the policy file of the sensor. Note: Exceptions are only applicable to OS event types there is no facility for writing exceptions for Network based events. Locate or Export the policy file. Open the policy file with Notepad. Locate the signature you wish to create a filter for. From the list of examples above, particularly Application Execution, you will look for: [\Advanced\userdefinedsignatures\NT EventLog Rules\Restricted Application Executed\]; Enabled =B 1; Priority =L 1; Event Log Source =S Security; Event Log SourceName =S ; Event Log Type =L 0; Event Log Category =L 0; Event Log ID =L 560; Regular Expression =S ; CheckDescription =S Execution of a privileged application; Once the event has been located the exception lines can be added to filter based on any information gleaned from the event. The lines are added after all discernable event metrics, in this example the exception would be placed after CheckDescription. Exceptions use the @String method to identify what information determines if the event is ignored. The lines to be added are as follows: IgnoreCaseX =B 1/0; RegExpX =S string to determine ignore value; ExceptX =B 1/0; Where X is the @String value for the event. For example, if the @String value for the user was String 2 then the exception would look like: IgnoreCase2 =B 1; RegExp2 =S Administrator; Except2 =B 1; This will trigger an alert for every execution of the application except when the user executing is the Administrator user. Several exceptions can be added to cover many ignore items such as user and machine, or user and domain etc. "Ndungu, John" <[EMAIL PROTECTED]> on Monday, December 19, 2005 at 6:33 PM -0400 wrote: >Team, > >I am trying to create a server sensor policy which would notify me when a >particular user logs into a Windows 2000 OS environent and triggers >defined >event log rule. > >Suppose there are 3 users (john, tall and Mary) where John and Mary are >admistrators of the system (tall is not), what would be the syntax of >creating a policy that would negate logins for both John and Mary, but >Trigger alerts for Tall? The eventual goal is to be able to track all >non-admin login attempts > >I have tried to use the reular expression [~John|Mary] which negates any >entries with John and Marys login credentials, but notify me of all >others. > >Kindly help >John > > > >********************************************************************** >This email and any files transmitted with it are confidential and >intended solely for the use of the individual or entity to whom they >are addressed. If you have received this email in error please notify >the system manager. >********************************************************************** > >_______________________________________________ >ISSForum mailing list >ISSForum@iss.net > >TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to >https://atla-mm1.iss.net/mailman/listinfo/issforum > >To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] > >The ISSForum mailing list is hosted and managed by Internet Security >Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. _______________________________________________ ISSForum mailing list ISSForum@iss.net TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
