User-ID and Windows "Run As"

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

User-ID and Windows "Run As"

Not applicable

Is there any way of picking up on the Palo if a User has run an application using the Windows "Run As" function?

Eg. User1 could be logged onto machine 10.1.1.1, but runs an application as Administrator.
In the logs, this shows up as user User1 (as the user-ID is taken from the AD security log, which ties IP to user).

From what I understand of the User-ID mechanics, this isn't possible..

1 accepted solution

Accepted Solutions

L3 Networker

That is correct if you do not generate a new security log on event than we will not switch the user account information. I believe when you do a run ad you are only getting different user rights for that function.

View solution in original post

2 REPLIES 2

L3 Networker

That is correct if you do not generate a new security log on event than we will not switch the user account information. I believe when you do a run ad you are only getting different user rights for that function.

I had the same problem. But there is a workaround for this.

Put the account what is used for Run As in the text file ignore_user_list.txt

This way the user in this text file will be ignored from detection through the security log.

You can also create a AD group and put these users in it. Add to the ignore group filter.

Works great for me!

  • 1 accepted solution
  • 2635 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!