Hi gurus,
As a new guy for RSA NetWitness, I would appreciate few minutes of your time spent to reply if you know the answer.
I have few SQL servers with a single service account (let's call it sql_acct) that must be used for all SQL servers instances. This account must be logged into only from the SQL servers, not from the workstations. How do I build the Alert logic that would alert me if the SQL server was managed from any workstation? #Alert Logic
the ESA language is included in my original post which you can copy and recreate as an application rule
the logon_type are explained here:
http://windowsitpro.com/systems-management/q-what-are-different-windows-logon-types-can-show-windows-event-log
you can view the application rules from the link in my first post as well, then download via your RSA NW system (RSA Live > search > application rules). which you can use as a template to create something to model this requirement which you can then push to your log decoders.
something like this:
ec.activity = 'Logon' && ec.outcome = 'Success' && user.dst ='sql_act' && logon.type ='2','10','11','12' && device.class = 'Windows Hosts' && reference.id ='4624', '528', '540'