I've changed my rule to look like this:
pattern=Security: .* NT AUTHORITY\\SYSTEM: User Account Locked Out: Target
Account Name: (\S+) .*
Does this look correct? It works, just not sure if it will always work as I
want.
.vp
From: [EMAIL PROTECTED]
To: [email protected]
Date: Wed, 12 Mar 2008 12:03:26 -0400
Subject: [Simple-evcorr-users] Need Help With windows.sec Rules
All;
Send
I am looking at the four rules in
http://www.bleedingthreats.net/sec/windows.sec and not being a windows admin, I
was wondering what the reference to "Everyone" was for? I've tried using this
rule and it does not work, my log output looks like this:
Security: 644: NT AUTHORITY\SYSTEM: User Account Locked Out: Target Account
Name: smith Target Account ID: %{S-1-5-21-484763869-1220945662-839522117-1727}
Caller Machine Name: CLIENT-PC1 Caller User Name: MSDC1$ Caller Domain: INTANET
CallerLogon ID: (0x0,0x3E7
The rule which I believe should have triggered this rule is:
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+Security: \\Everyone: User Account Locked
Out: Target Account Name: (\S+) .*
desc=$0
action=pipe '$1 Windows Account Lockout: %s' /usr/bin/mail -s "Windows Account
Locked on $1" [EMAIL PROTECTED]
Was this intended to be something else, i.e. a hostname? In my environment, I
have several AD servers, and would need to make many entries, assuming this is
to replaced with a hostname.
Is their anything at all required to be changed, aside from the email target?
Thanks!
.vp
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
