topic Re: User-ID and Windows "Run As" in General Topics

User-ID and Windows "Run As"

randomcamden — Fri, 24 Sep 2010 08:19:38 GMT

Is there any way of picking up on the Palo if a User has run an application using the Windows "Run As" function?

Eg. User1 could be logged onto machine 10.1.1.1, but runs an application as Administrator.
In the logs, this shows up as user User1 (as the user-ID is taken from the AD security log, which ties IP to user).

From what I understand of the User-ID mechanics, this isn't possible..

Re: User-ID and Windows "Run As"

jnguyen — Mon, 27 Sep 2010 22:29:02 GMT

That is correct if you do not generate a new security log on event than we will not switch the user account information. I believe when you do a run ad you are only getting different user rights for that function.

Re: User-ID and Windows "Run As"

u2343 — Thu, 14 Oct 2010 21:27:43 GMT

I had the same problem. But there is a workaround for this.

Put the account what is used for Run As in the text file ignore_user_list.txt

This way the user in this text file will be ignored from detection through the security log.

You can also create a AD group and put these users in it. Add to the ignore group filter.

Works great for me!