Activity for Snare_User
-
Snare_User posted a comment on discussion snare-users
Any ideas? Thanks again.
-
Tried with rules that matched the case of the username, but they still wouldn't exclude. Also tried with removing the exclusions containing asterisks, but the usernames still didn't exclude. Attached is a sanitized screenshot. Does it look properly configured? Thanks again.
-
All 4 of the Objectives are at the top. Each have the any event ID selected as well as various event IDs listed in the any event ID field as well as exclusions for the user IDs: abcdef,ghijkl,mnasterisk,asterisk$ Is there a limit to the number of event IDs allowed on each line? I noticed that some seemed to truncate, so I created additional Objectives as needed, but was curious. Will continue testing. Also noticed that I am unable to move the Objectives up and down buttons to make one Objective higher...
-
All 4 of the Objectives are at the top. Each have the any event ID selected as well as various event IDs listed in the any event ID field as well as exclusions for the user IDs: abcdef,ghijkl,mnasterisk,asterisk$ Is there a limit to the number of event IDs allowed on each line? I noticed that some seemed to truncate, so I created additional Objectives as needed, but was curious. Will continue testing. Also noticed that I am unable to move the Objectives up and down buttons to make one Objective higher...
-
All 4 of the Objectives are at the top. Each have the any event ID selected as well as various event IDs listed in the any event ID field as well as exclusions for the user IDs: abcdef,ghijkl,mnasterisk,asterisk$ Is there a limit to the number of event IDs allowed on each line? I noticed that some seemed to truncate, so I created additional Objectives as needed, but was curious. Will continue testing. Noticed that I am now unable to move the Objectives up and down in around to make one Objective...
-
All 4 of the Objectives are at the top. Each have the any event ID selected as well as various event IDs listed in the any event ID field as well as exclusions for the user IDs: abcdef,ghijkl,mn,$ Is there a limit to the number of event IDs allowed on each line? I noticed that some seemed to truncate, so I created additional Objectives as needed, but was curious. Will continue testing. Noticed that I am now unable to move the Objectives up and down in around to make one Objective higher or lower....
-
I tried that, but it didn't seem to work. I was re-checking the Snare guide, and it stated: The match terms (EventID Match, General Match and User Match) are the filter expressions and are defined to be any value (except TAB) which includes DOS wildcard characters. Note that these are NOT regular expressions with the exception of the General Match term. This has the option of interpreting the search string as a Perl Compatible Regular Expression by selecting the checkbox next to it. If it is not...
-
Tried multiple variations, but never was able to get it to work. Has anyone else been successful on the syntax? Would like to exclude the usernames similar to the following: "$,abcdef,ghi*" "$" would be for any username ending in $, such as computer_name$, machine$. If $ is not possible, would Snare understand something like the hostname variable or %computername% to at least exclude local machine logins? "abc*def" would be for multiple usernames that begin and end with the same characters, with...
-
Tried multiple variations, but never was able to get it to work. Has anyone else been successful on the syntax? Would like to exclude the usernames similar to the following: $,abcdef,ghi* $ would be for any username ending in $, such as computer_name$, machine$. If $ is not possible, would Snare understand something like the hostname variable or %computername% to at least exclude local machine logins? abc*def would be for multiple usernames that begin and end with the same characters, with only the...
-
I tried *\$, but am still getting logons where the username contains $.
-
I would like to exclude usernames containing special characters, such as machine...
-
Thanks Benjamin. So if the newest EventRecordID is 10001 and the oldest EventRecordID...
-
I went to the registry and under HKLM\Software\InterSect Alliance\AuditService\Status...
-
Epilog 1.6.0 registry key and %SystemRoot%
1
