In the middle of managing a fairly big rollut and upgrade of DCSSA where there are a number of administrators and people who prefer to use the commands to put DCS in to a buikltin mode instead of tuning or using the override.exe tool.
Is there a way to create a detection event to track who runs sisipsconfig -r ? Looking to create an event which can report the usr name that has run the command.
I don't know how to monitor running of specific command but I have idea how to help you.
sisipsconfig -r change line use.builtin.policy=false to use.builtin.policy=true in agent.ini file
So you need to create file watch rule that monitor
C:\Program Files (x86)\Symantec\Data Center Security Server\Agent\IPS\agent.ini
You can also add use.builtin.policy=false to "ignore string" in the policy or modify "select string" to monitor only this modification.
I can see that runing this command wil create the event with right username with the rule.
It also helpful as someone can edit file directly without running command.
Thanks Alexander S this works a treat