tmuster2k 22 Posted December 18, 2019 Posted December 18, 2019 Is it possible to create a report that will show what specific windows user login was used to PAUSE Protection or Pause Firewall locally on Endpoint? I know Audit Report will show you what User/Native user for ESMC performed any action but can you show what windows user or domain admin account was logged into when Pausing protection for ESET?
Administrators Marcos 5,455 Posted December 19, 2019 Administrators Posted December 19, 2019 Currently it seems it's not possible to generate client audit reports. I assume this is because audit log records are not sent to ESMC. I'll check with developers if it will be possible in the future.
ESET Staff MichalJ 434 Posted December 20, 2019 ESET Staff Posted December 20, 2019 @tmuster2k In Endpoint 7.1, there was a functionality implemented call "Audit logs", that you will find in the local interface of the endpoint. Currently this data is not being collected by ESMC, so the only way how to troubleshoot this is locally on the client. What is your current setup? Do your users have admin privileges, so they can alter local endpoint settings?
Hpoonis 7 Posted December 20, 2019 Posted December 20, 2019 (edited) You could just try this: A blanket active directory login script that writes the username (or login ID) to a network directory (filename wold be username) and a logoff script that writes the same info. Thus you would have a timestamp entry (and workstation entry) for when a user logged on and off. Any changes can then be narrowed to whichever user was logged on to whichever workstation at a specific time. SImply ordering the files by date would show which users and which times. Edited December 20, 2019 by Hpoonis
tmuster2k 22 Posted December 26, 2019 Author Posted December 26, 2019 On 12/19/2019 at 11:37 PM, MichalJ said: @tmuster2k In Endpoint 7.1, there was a functionality implemented call "Audit logs", that you will find in the local interface of the endpoint. Currently this data is not being collected by ESMC, so the only way how to troubleshoot this is locally on the client. What is your current setup? Do your users have admin privileges, so they can alter local endpoint settings? Users only have standard rights. UAC prompt appears if you try to alter endpoint settings.
itman 1,802 Posted December 26, 2019 Posted December 26, 2019 1 hour ago, tmuster2k said: Users only have standard rights. UAC prompt appears if you try to alter endpoint settings. If these individuals are setup under Win standard user account, no UAC prompt should appear since they are not allowed to elevate privileges. However if they are set up as Win limited admin users, then the UAC prompt will appear for activity requiring full admin privileges. Note that limited admin account users run as standard users with the ability to escalate to full admin privileges as dictated by the system activity being performed. The setting that controls whether limited admin account can access Eset GUI settings under admin privileges is shown below:
Recommended Posts