Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rule 18107 may be triggering more times than necessary #298

Closed
crolopez opened this issue Feb 25, 2019 · 2 comments
Closed

Rule 18107 may be triggering more times than necessary #298

crolopez opened this issue Feb 25, 2019 · 2 comments
Assignees
@cristgl
Labels
duplicate

Comments

@crolopez
Copy link
Contributor

This alert is triggered by event 4624, which appears each time a login is requested. This includes the multiple user changes requests that Windows processes perform.

In other words, we can have this alert without having logged in or executed something with permissions from another computer user.

We can make a new rule that derives from this and refers exclusively to login in physical users.

A way to differentiate these events may be the fact that the TargetDomainName field coincides with the WorkstationName.
@crolopez crolopez changed the title Rule 20047 may be triggering more times than necessary Rule 18107 may be triggering more times than necessary Feb 25, 2019
@crolopez
Copy link
Contributor Author

Related to #295.

@cristgl cristgl self-assigned this Feb 25, 2019
@cristgl
Copy link
Contributor

cristgl commented Feb 25, 2019

We will keep working on #295

@cristgl cristgl closed this as completed Feb 25, 2019
This was referenced Feb 25, 2019
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cristgl cristgl

Labels
duplicate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cristgl @crolopez