This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
RSAAdmin
Beginner
Beginner
‎2012-05-03 09:08 AM

crl-00103 will not fire - no alerts/views.

Hi I do not get any alarms/alerts when adding a local user to local group administrators when using CRL-00103. My copy of the correlation rule is as the original. I have manually set up a rule for all windows machines. Here I do get alerts for same behavior on windows machines. In my system CRL-00103 only has one circut with one statement. Value: "User.Management.Groups.Modifications.User Added" I figure that it might be wrong setup. How do I get a "fresh" copy of the correlation rule? Thank you
Preview file
117 KB
0 Likes
Reply
1 Reply
ScottPause
Beginner
Beginner
‎2012-07-16 03:58 PM

I'm guessing that that particular CRL doesn't cover the specific windows event ID you are looking for/at.

 

 

Go to Overview / System Configuuration / Messages / Manage Messages and then show all entries for Taxonomy/Event Category = "User.Management.Groups.Modifications.User Added" AND all of the Windows devices types like attached.

 

 

These are the messages that are included in that CRL.  Otherwise, you need to make a copy of that CRL, which also includes your expected message ID.

 

 

 

 

Preview file
43 KB
0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.