Return
-
Title
Real-time monitoring rule "User Accounts removed by unauthorized personnel" does not work correct -
Description
The out-of-the-box real-time rule\alert, "User account removed by unauthorized personnel" does not work correctly on Windows 2008\R2.
-
Cause
This is because of this piece of the Matching REL code contains incorrect string values for the 2008 event:
EventID = 4726
and common(String5, String4) -
Resolution
WORKAROUND
It should be:
EventID = 4726
and common(String6, String5)STATUS
Waiting for fix in a future release of InTrust.
-
Defect ID
ST68241