YossiC
-
Posts
5 -
Joined
-
Last visited
About YossiC
-
Rank
Newbie
-
YossiC reacted to a post in a topic:
Trigger event to Syslog
-
j91321 reacted to a post in a topic:
Local Admin Additions
-
Hi, Is it possible to send the Trigger Event of the Detection to Syslog? For example in rules catching SSH communication, the address would appear in the "Event" tab on Inspect console. My ESET Inspect server is on the latest version.
-
Local Admin Additions
YossiC replied to YossiC's topic in ESET Inspect On-prem (Detection and Response)
Seems the rule is depednant on "Audit Security Group Management". Events are being recorded only after this is enabled. -
Local Admin Additions
YossiC replied to YossiC's topic in ESET Inspect On-prem (Detection and Response)
Can I send you this over PM? Thanks. -
Local Admin Additions
YossiC replied to YossiC's topic in ESET Inspect On-prem (Detection and Response)
Hi, Thank you for the reply. Yes, this is what I saw through ProcMon after posting this. I have tried testing the rule on my endpoint but it does not trigger. I also checked there are no exclusions related to this, or Events related to lsass.exe with UserAddToGroup operation. -
YossiC joined the community
-
Hi guys, I'm trying to catch additions to the Local Admin group when it is done via mmc.exe, or PowerShell by anyone. The current rule "User added to Administrator group [F1000]" does not seem to trigger when it is done via mmc.exe. The only rule that does trigger is the Critical rule when the operation is done via the net command.
