Symantec Developer Group

Hi,
  in Italy there's a law that impose to the companies to log and mantain for 6 mounth the logon/logoff events of administrator user in system were is present personal data.

With ssim and collector for windows we are able to collect windows events from the security event log, we filter by event id and take only interactive logon logoff. Now we have to filter again to catch only logon events of user that have administrator privileges on that server, is this possible? How?

Tks

Is very important for us.. no idea?

 

Alessio

Hi, You can try to build custom correlation rule which updates lookup table when event such as "add user to a domain group with higher privileges" will occur... Then you can filter out windows events only for those users that are exists in that lookup table. I think that you need to use at least SSIM 4.7.3 for this, because Lookup Table Update Rule type was introduced in that release. The other way is more complex, you can write a script that will get users that have administrative privileges from Active Directory, and after then you can put this data into SSIM in two ways: 1) by building new collector that read script output and send them to SSIM. You will see every high privileged user entry as single event so then you can use Lookup Table Update Rule to filling up lookup table 2) by writing another script that perform direct update of lookup table in LDAP (unsupported) Maybe there is some other way... for a good start try to use lookup table rule. Regards