Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authentication suppression rule may be a little aggressive for some #28

Open
uplateandonline opened this issue Oct 12, 2018 · 1 comment
Open

Authentication suppression rule may be a little aggressive for some #28

uplateandonline opened this issue Oct 12, 2018 · 1 comment

Comments

@uplateandonline
Copy link

Hi team,

Thanks for the work on this. Just FYI, we noticed that this actually means that UAC logins (in the form of 4624 events) don't get forwarded. We decided to change this as often analysts might just search for 4624 events to see where an account has been used (noting that's not ideal). So we flipped this suppress rule so all 4624s are collected regardless of SID. It does increase the volume a bit, but we think it's worth it.

Might be worth placing a comment up the top of the subscription policy (it took us a while to find) if you are intending to leave it as is.

Thanks!
@Beercow
Copy link

Beercow commented Jan 14, 2019

If you change
Suppress Path="Security">[EventData[Data[1]="S-1-5-18"]]
To
Suppress Path="Security">[EventData[Data[5]="S-1-5-18"]]
It cuts down on System events without losing insight as to where users are logging in.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Beercow @uplateandonline