- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
09-24-2010 01:19 AM
Is there any way of picking up on the Palo if a User has run an application using the Windows "Run As" function?
Eg. User1 could be logged onto machine 10.1.1.1, but runs an application as Administrator.
In the logs, this shows up as user User1 (as the user-ID is taken from the AD security log, which ties IP to user).
From what I understand of the User-ID mechanics, this isn't possible..
09-27-2010 03:29 PM
That is correct if you do not generate a new security log on event than we will not switch the user account information. I believe when you do a run ad you are only getting different user rights for that function.
09-27-2010 03:29 PM
That is correct if you do not generate a new security log on event than we will not switch the user account information. I believe when you do a run ad you are only getting different user rights for that function.
10-14-2010 02:27 PM
I had the same problem. But there is a workaround for this.
Put the account what is used for Run As in the text file ignore_user_list.txt
This way the user in this text file will be ignored from detection through the security log.
You can also create a AD group and put these users in it. Add to the ignore group filter.
Works great for me!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!