Hello, all. Can you please assist me with a way to exclude a user account from the following? Meaning, if user matches “automatedAccount” do not return log information.
<group name=""> <rule id="900000" level="10"> <if_sid>18104</if_sid> <id>^4688</id> <regex>Token Elevation Type: %%1937</regex> <description>Escalated privileges were exercised</description> <group>escalated privileges,</group> </rule> <rule id="900001" level="9"> <if_group>authentication_success</if_group> <time>7 pm - 5 am</time> <description>Successful login during non-business hours</description> <group>login_time,</group> </rule> <rule id="900002" level="9"> <if_group>authentication_success</if_group> <weekday>weekends</weekday> <description>Successful login during weekend</description> <group>login_day,</group> </rule> <rule id="900003" level="9"> <if_sid>18105</if_sid> <id>^4656</id> <description>Filesystem Access/Change Attempt Failure</description> <group>filesystem_failure,</group> </rule> <rule id="900004" level="0"> <if_sid>900003</if_sid> <regex>Object\s+Name:\s+\\REGISTRY</regex> <description>Filesystem Access/Change Attempt Failure - Registry</description> </rule> <rule id="900005" level="0"> <if_sid>900003</if_sid> <regex>Process Name:\s+C:\\Windows\\servicing\\TrustedInstaller.exe</regex> <description>Filesystem Access/Change Attempt Failure - Trusted Installer</description> </rule> </group> <group name="policy_violation,"> <rule id="17101" level="9"> <time>7 pm - 5 am</time> <description>Successful login during non-business hours</description> <group>login_time,</group> </rule> </group> Thank you -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.