search

palantir / windows-event-forwarding

A repository for using windows event forwarding for incident detection and response
Other
1.22k stars 267 forks source link

Authentication suppression rule may be a little aggressive for some #28

Open uplateandonline opened 6 years ago

uplateandonline commented 6 years ago

Hi team,

Thanks for the work on this. Just FYI, we noticed that this actually means that UAC logins (in the form of 4624 events) don't get forwarded. We decided to change this as often analysts might just search for 4624 events to see where an account has been used (noting that's not ideal). So we flipped this suppress rule so all 4624s are collected regardless of SID. It does increase the volume a bit, but we think it's worth it.

Might be worth placing a comment up the top of the subscription policy (it took us a while to find) if you are intending to leave it as is.

Thanks!

Beercow commented 5 years ago

If you change Suppress Path="Security">[EventData[Data[1]="S-1-5-18"]] To Suppress Path="Security">[EventData[Data[5]="S-1-5-18"]] It cuts down on System events without losing insight as to where users are logging in.