Hi list. I've submitted enhancements request containing the following: Logon_with_admin_privileges signature is VERY useful, but now it can't be used, because it's triggered for system accounts (machine_name$) as well. In many cases it's this event is not interesting for system accounts, but they can't be filtered because SS can't filter events. I understand that to teaching SS to filter events is may needs great development, so I propose to make to different signatures for USER accounts logons with admin privileges and for SYSTEM accounts logon. Now because of VERY great number of Logon_with_admin_privileges (so it's impossible to find something in that events) I have to switch it off.
And receive a very interesting answer - that I have to create validation script on TCL... and if I can't do this by myself ISS could provide me with the script at the price of one day consulting. Thinking in this way we can make a conclusion that because EVERY Windows eventlog event and EVERY text log event can be made by hands, there is no necessity for ISS to provide these events at all :-) So, dear list, maybe someone already solved described problem and already has such validation script for server sensor? Thank you. --- Best regards, Sergey V. Soldatov. Information security department. tel/fax +7 095 745 89 50 tel +7 095 777 77 07 (1613) _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
