2018-11-30 09:46 AM
I'm new to this SIEM and writing rules. How would I write a simple rule to report when changes have been made to GPO?
2018-11-30 01:55 PM
So it is working for you? I also cannot import without getting an error. It doesn't appear to be my day....
2018-11-30 03:20 PM
Yea, I created those in my lab and exported them. It wouldn't have let me save/export unless the syntax was valid.
What version of NetWitness are running? (I'm at 11.2.0.1)
2018-11-30 03:23 PM
11.2.0.0
Roger Feagin
IT Security Analyst
American Modern
Telephone:
Fax:
RFeagin@amig.com<mailto:RFeagin@amig.com>
AMIG.COM
American Modern Home - American Family Home - American Southern Home
American Modern Property and Casualty - American Western Home
2019-07-03 12:41 PM
It looks like the GPO Created rule needs a small correction.
This part:
cast(action, string) LIKE '%Value Deleted%')
should be changed to:
cast(action, string) LIKE '%Value Added%')
