KB 240101: Privileged Group Membership rules fail in localized environment
Default rules for monitoring changes to privilege groups fail to trigger Alert in non English environments
Issue: Rules are configured based on Group Name vs SID value
Symptoms: Expected Alert for privilege group change does not appear
Cause: SCOM processes event strings as text vs source SID/GUID values stored in security log
Scope: Any environment running non English versions of Windows or implemented best practices for renaming privileged groups
Product/s: Windows Security Auditor 3.0.6500.0
Rules Impacted based on Filter Expressions
- Local Admin Group Membership Change rules
- Domain Admin, Enterprise Admin and Schema Admin Group Membership Change rules
Resolution
Create new rules using the 'Group Membership Change for X' monitoring template
|
|
|
|