User-ID and Windows "Run As"

Reply
Not applicable

User-ID and Windows "Run As"

Is there any way of picking up on the Palo if a User has run an application using the Windows "Run As" function?

Eg. User1 could be logged onto machine 10.1.1.1, but runs an application as Administrator.
In the logs, this shows up as user User1 (as the user-ID is taken from the AD security log, which ties IP to user).

From what I understand of the User-ID mechanics, this isn't possible..

Tags (1)

Accepted Solutions
L3 Networker

That is correct if you do not generate a new security log on event than we will not switch the user account information. I believe when you do a run ad you are only getting different user rights for that function.

View solution in original post


All Replies
L3 Networker

That is correct if you do not generate a new security log on event than we will not switch the user account information. I believe when you do a run ad you are only getting different user rights for that function.

View solution in original post

Not applicable

I had the same problem. But there is a workaround for this.

Put the account what is used for Run As in the text file ignore_user_list.txt

This way the user in this text file will be ignored from detection through the security log.

You can also create a AD group and put these users in it. Add to the ignore group filter.

Works great for me!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!