Hey All,
We have a policy under development for web prevent with an exception being a "User Group" consisting of Active Directory Users / Active Directory Groups that have been configured from a Directiory Connection to Multiple Domains.
The Index Update has been configured to perform once a day.
In the policy, the detection rules are configured based on specified critiera, and the Exceptions set to "User Group".
When testing the policy, incidents are being generated for the critiera set in the policy, but they are still being generated when the user in question is part of the Active Directory Group or even added individially into the "User Group".
Is anybody aware if the users added into the User Group via the LDAP/LDAPs somebow need to be translated into another format for exception to take place ?
The only difference I can see is the entry within the user group is added as a CN (common name) but the detection in the incident is displayed as a sender; WINNT://{domain}/{account/username}
Thanks