How do I create a rule in VigilEnt Security Agent for Windows Detect to show a specific username or machine name in the alert?
VigilEnt Security Agent for Windows 3.x
VigilEnt Security Agent for Windows 4.0
In the Detect interface this can be accomplished by using the EXE action for the specific event:
- Type the name of an executable in the text box.
- Follow the name with a blank space then an argument. The arguments to follow must be separated by spaces. The application or utility invoked by the first argument in the command interprets the rest of the arguments in the command.
From a DOS command line:
- Use the EXEC command the same as the command prompt.
- In a DOS shell type CMD /C (command).
- The first argument in this command invokes the DOS shell that interprets the rest of the arguments. Any command that can be executed at a DOS prompt, can be performed with the arguments following the CMD /C prefix.
For information about the commands that can be used after the ?CMD/C? prefix, see the help information displayed by this command line in the DOS shell: C:\>cmd /?
The following variables are available when building actions:
- %user%?sends the user name that performed the captured event.
- %computer%?sends the computer name from which the captured event was performed.
Refer to the VigilEnt Security Agent for Windows User Guide for more information regarding writing rules.