ACS noise filter

1 minute read

When you install ACS you will get a ton of events! Not all events are relevant for your environment. Securevantage has written a nice noisefilter guide. This guide introduces noise filters for Windows Servers 2000 & 2003 Security Events.

 

Also interesting is the  Secure Vantage Security Auditing Reference List: Over 1300 Windows security events and settings with interactive links to Randy Franklin Smiths online security wiki.

The Service Account Authentication Success filter provides an example of how to filter specific user accounts or  patterns within a user account name like admin or sys on logon. These are commonly used to filter service accounts that run on all systems frequently such as antivirus or backup programs. Please note this is for ‘Success’ activity only, all Logon failure activity should be collected.

image

 

Run adtamin:

AdtAdmin.exe /getquery

Result: Current query: ‘select * from AdtsEvent’

image

 

Next, set the query to drop the “sys” and “adm” logons:

AdtAdmin.exe /setquery /query:”Select * from AdtsEvent where NOT ((HEADERUSER LIKE ‘%ADM_%’ OR HEADERUSER LIKE ‘%SYS_%’) AND(EventID = 528 OR EventID = 540 OR EventID = 680))”

 

check your query by running AdtAdmin.exe /getquery. the result should be:

Current query: “Select * from AdtsEvent where NOT ((HEADERUSER LIKE ‘%ADM_%’ OR HEADERUSER LIKE ‘%SYS_%’) AND(EventID = 528 OR EventID = 540 OR EventID = 680))”

 

Now all these events will be dropped before they enter the acs database.

 

Greetz,

Alexandre Verkinderen

http://scug.be/blogs/scom

 

Tags van Technorati: ,,,

Leave a comment