On Mon, Sep 13, 2010 at 11:09 AM, Tyler Ross <[email protected]> wrote: > Hello all! > > I am needing to create a rule that will alert when a local account is > created on clients running OSSEC, and also a rule that will alert when any > local account is joined to the Administrators group. These alerts need to > be fired only on local machine events, so I need to exclude our Domain > Controllers from this alert. Is there an expression that will allow you to > ignore a given set of machines from this alert? Something like this? > > > <rule id ="101005" level"12"> > <if_sid>18110</if_sid> > <hostname>!$domain_controllers</hostname> > <description>Local User Account Created or Changed on Local > Machine</description> > > > Thanks, > > Tyler Ross > >
Nope. You could look into using the CDB lists if you're running a current snapshot.
