Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
304
Views
4
Helpful
1
Replies

CSA - Rules/Tasks to move computers to specific group

joseph.hamilton
Level 1
Level 1

‎06-19-2007 04:46 AM - edited ‎03-09-2019 06:13 PM

I'm trying to set up some more advanced rules and tasks in CSA, and one of my goals was to make a rule/task to move a host to a group "Rootkit detected computers" when it detects an unauthorized rootkit. Can't really find any way to make this in a rule, and I can't find any tasks that are based off of events or event sets.

Any ideas? We're on CSA 5.0 v187, and we should be upgrading to 5.2 within the next week.

Labels:
0 Helpful
1 Reply 1

spokejunky
Level 1
Level 1

‎07-19-2007 10:15 AM

I've tried to do the same thing with admins enabling/disabling the client for 'troubleshooting'. A task has to move a system record from one existing group to another. So if the system doesn't already exist in that group, then it can't be moved. The only other thing I could come up with is to monitor for a security posture low/medium/high. Monitor for a dynamic process on boot for any rootkit and set the system to high security level. Assign the rule module for network lockdown on the system state of high security. Also to notify you, monitor for the untrusted rootkit detected rule to be triggered and an email will be sent to you for follow up.

Customers Also Viewed These Support Documents