Re: TriGeo Alert - Disk nearly full
You may also want to modify the rule to use a template with more information slots so you can get things like the "Detection IP" in the e-mail and have it tell you which machine is running low on disk...
View ArticleClik here to view.
Re: task category - event details
So I'm assuming you're talking about this thing:First off, taking a "random sample" from my System, Application and Security logs, most events seem to have this set to "None," so what are you hoping to...
View ArticleRe: task category - event details
Thats the correct field. In the windows event viewer, I see the task category of :MPSSVC Rule-Level Policy Change. (sub category), but in the LEM I do not see this?
View ArticleRe: task category - event details
Which windows log? Do you have an Event Idea? What application is generating that event? Can you include a screenshot of the event from the Windows Event Viewer?
View ArticleClik here to view.
Re: task category - event details
in the LEM, the 4957 event shows, but I do not see the task category.This would help in editing the auditing in windows server 2008.
View ArticleAdobe Flash zero-day
Any concerns here for LEM users? Adobe Flash zero-day patch is out…for the third month in a row – Naked Security
View ArticleClik here to view.
Clik here to view.
Re: Firewall Shun
Thanks for the info - that is helpful. I am just creating the rule now - I am new to LEM. Can you point me in the right direction with how to enable this? I have got the correlation in but I am unsure...
View ArticleClik here to view.
Incidents created when manager logs in as root for cron
New to LEM... we enabled a bunch of default rules. Every 15 minutes or so, incidents are created from events automatically happening on the manager. The rules that are firing to create the incidents...
View ArticleClik here to view.
Re: Incidents created when manager logs in as root for cron
Hi Matt, This is typically what a root/cron logon looks like within LEM: You can add conditions to your correlation rules to exclude certain usernames, hostnames, etc. For example, you can add a...
View ArticleRe: Firewall Shun
The firewall reporting the shun should be the DetectionIP field. If you look at the events in the LEM console, you should be able to tell if it's the IP or name of the device being reported. (You could...
View ArticleRe: Adobe Flash zero-day
Now google jumping on board? https://threatpost.com/chrome-defaults-to-html5-over-adobe-flash-starting-in-q4/118109/
View Articlesoftware installation/installation operation event
I am getting multiple "software install" from a single user.The providerSDI are all MSIIntaller 1035.The install operation states: Configuration change completed with status 0. Thoughts?
View ArticleRe: software installation/installation operation event
Can you provide a screenshot of the entire alert so we can see all the fields?
View ArticleClik here to view.
Clik here to view.
Re: Logins after hours report
Below is a screenshot of my after hours logon rule. I have listed all of our service accounts in the Service Account user-defined group, so that we do not get false positives. I hope this helps.
View ArticleClik here to view.
Re: software installation/installation operation event
That's interesting - it looks like that particular package is flailing. Is it always for Microsoft Lightswitch or does the software package vary?
View ArticleClik here to view.
Threat intelligence feed logs
We have a rule set up to use the TIF thusly: We're getting alerts from Bad Folks™ trying to hit our outside IP, but that's happening all the time -- a good portion of the reason one doesn't put an...
View ArticleRe: Threat intelligence feed logs
definitely any firewall egress filter/outbound traffic to a "bad IP"any other mechanisms you have to detect internal communication sources to a "bad IP" - router ACLs, IDS, local firewalls,...
View ArticleDefault Filters
My work center is relatively new for the use of LEM. We are trying to set up an account for the techs to use that is pre-loaded with a set of filters that the administrators prepare for them to be...
View Article