skiao

Alerting http access

Discussion created by skiao on Jul 31, 2012
Latest reply on Sep 18, 2012 by RSA Admin
i want to get an alert every time service account accessing the internet. How do i set it up? i have ran event explorer and noted down the messageID that i want to capture. no success. Which event category should i use for this kind of alert? i currently set it to "user.Activity.Normal Activity". created new circuit, in the event selection - select event ID device is ironport WSA comparison "IN" value post:04;CONNCT:04 - set filter is point to where username "IN watchlist" svc account already specify in watchlist any idea??

Outcomes