Rules for Unix
I am trying to create two unix rules, but I am not able to identify these in the events that are coming through. It might very well be possible that these events have not yet triggered on the unix servers. I need help to create the conditions for these rules, so that once the corres[ponding event is actually generated on the unix systems, these rules would trigger.
|Unix - User home directory modified||This rule looks for modification done to unix user account's home directory|
|Unix - User account parameters modified||This rule looks for modification done to unix user account's security parameters|
Re: Rules for Unix
Are you getting event ID for integrated unix logs ?
Then you can build rule based on event ID of "User home directory modified" event.
If not, I will suggest you to generate these event on any UAT unix server and then analyse those events in ArcSight to build rule logic.
I hope this helps.