I have written them for: -Locked AD account -Global/Local group user added/removed -Login Failure -Password Change Success/Failure -RDP Login Audit -User Acct Created / Deleted -Server Sensor service stopped (sends me an email to tell me who stopped it. I never got it working right though. Since it is the ISS services that are being stopped, the scripts don't have a chance to complete.)
Most of these send me the user name (i.e. User name JSMITH added RJONES to ACCOUNTING group) because most of what I needed to know was in that field. All of the TCL scripts had to be different though. If you send me your TCL script I can test it for you. ISS also has a util called TCLTESTER which works pretty well for testing scripts in a pseudo-ISS environment. David -----Original Message----- From: Mendetta, Michael L [mailto:[EMAIL PROTECTED] Sent: Monday, July 18, 2005 9:17 AM To: Mendetta, Michael L; CAUSEY, David; [email protected] Subject: RE: [ISSForum] TCL scripts for fusion module I have written a script only for the user account created event in a server sensor policy. I want to wait to get it working before I go trying to write any more. Michael Mendetta CS Security Analyst LM EIS -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mendetta, Michael L Sent: Friday, July 15, 2005 7:08 AM To: CAUSEY, David; [email protected] Subject: Re: [ISSForum] TCL scripts for fusion module What have you written scripts for? Michael Mendetta CS Security Analyst LM EIS -----Original Message----- From: CAUSEY, David [mailto:[EMAIL PROTECTED] Sent: Thursday, July 14, 2005 5:00 PM To: Mendetta, Michael L; [email protected] Subject: RE: [ISSForum] TCL scripts for fusion module If I understand your question, yes, I have written some. What do you need? Email me offline if you want. David [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mendetta, Michael L Sent: Wednesday, July 13, 2005 1:25 PM To: [email protected] Subject: [ISSForum] TCL scripts for fusion module Has anyone written/used TCL scripts in a server-sensor policy for use with the fusion module to provide more granular filtering? Michael Mendetta CS Security Analyst LM EIS _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
