Hello all!
I am needing to create a rule that will alert when a local account is
created on clients running OSSEC, and also a rule that will alert when any
local account is joined to the Administrators group. These alerts need to
be fired only on local machine events, so I need to exclude our Domain
Controllers from this alert. Is there an expression that will allow you to
ignore a given set of machines from this alert? Something like this?
<rule id ="101005" level"12">
<if_sid>18110</if_sid>
<hostname>!$domain_controllers</hostname>
<description>Local User Account Created or Changed on Local
Machine</description>
Thanks,
Tyler Ross
