Is there any way of picking up on the Palo if a User has run an application using the Windows "Run As" function?
Eg. User1 could be logged onto machine 10.1.1.1, but runs an application as Administrator.
In the logs, this shows up as user User1 (as the user-ID is taken from the AD security log, which ties IP to user).
From what I understand of the User-ID mechanics, this isn't possible..
Solved! Go to Solution.
I had the same problem. But there is a workaround for this.
Put the account what is used for Run As in the text file ignore_user_list.txt
This way the user in this text file will be ignored from detection through the security log.
You can also create a AD group and put these users in it. Add to the ignore group filter.
Works great for me!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!