Hello, all. Can you please assist me with a way to exclude a user account
from the following? Meaning, if user matches “automatedAccount” do not
return log information.
<group name="">
<rule id="900000" level="10">
<if_sid>18104</if_sid>
<id>^4688</id>
<regex>Token Elevation Type: %%1937</regex>
<description>Escalated privileges were
exercised</description>
<group>escalated privileges,</group>
</rule>
<rule id="900001" level="9">
<if_group>authentication_success</if_group>
<time>7 pm - 5 am</time>
<description>Successful login during
non-business hours</description>
<group>login_time,</group>
</rule>
<rule id="900002" level="9">
<if_group>authentication_success</if_group>
<weekday>weekends</weekday>
<description>Successful login during
weekend</description>
<group>login_day,</group>
</rule>
<rule id="900003" level="9">
<if_sid>18105</if_sid>
<id>^4656</id>
<description>Filesystem Access/Change
Attempt Failure</description>
<group>filesystem_failure,</group>
</rule>
<rule id="900004" level="0">
<if_sid>900003</if_sid>
<regex>Object\s+Name:\s+\\REGISTRY</regex>
<description>Filesystem Access/Change
Attempt Failure - Registry</description>
</rule>
<rule id="900005" level="0">
<if_sid>900003</if_sid>
<regex>Process
Name:\s+C:\\Windows\\servicing\\TrustedInstaller.exe</regex>
<description>Filesystem Access/Change
Attempt Failure - Trusted Installer</description>
</rule>
</group>
<group name="policy_violation,">
<rule id="17101" level="9">
<time>7 pm - 5 am</time>
<description>Successful login during non-business
hours</description>
<group>login_time,</group>
</rule>
</group>
Thank you
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
