Hello,
I was able to test and get this line to work in my lab.
PROCESS;*;NT AUTHORITY\SYSTEM;*;*;*
I based that on this syntax.
<class-name>;<object-name>;<user-name> or <group-name>;<program-path>;<access mode>;<authorization result>
I was able to block events such as:
19 Nov 2015 09:33:09 N PROCESS NT AUTHORITY\SYSTEM Kill 600 10 \device\harddiskvolume2\program files\ca\accesscontrolserver\apms\accesscontrol\bin\agentmanager.exe C:\Windows\system32\conhost.exe (OS user)
Event type: Resource access
Status: Access mask removal notification
Class: PROCESS
Resource: \device\harddiskvolume2\program files\ca\accesscontrolserver\apms\accesscontrol\bin\agentmanager.exe
Access: Kill
User name: NT AUTHORITY\SYSTEM
Program: C:\Windows\system32\conhost.exe
Date: 19 Nov 2015
Time: 09:33
Details: Attempting to terminate CA ControlMinder
User Logon Session ID: a18b091b-a68b-4b50-9d42-fa4dd156c9a2
Audit flags: OS user
Let me know if that doesn't work for you.
Thanks,
Aaron Armagost
Principal Support Engineer, CA Privileged Identity Manager