How to find the noise in 4625 Expand / Collapse
Author
Message
Posted 5/26/2016 6:25:31 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 4/25/2016 11:02:55 AM
Posts: 2, Visits: 1
Hi Team, Please help understand how to identity noise in 4625 events & ways to differentiate between failed on events by services and user. I do know that we have helping factors like Status and Sub Status Codes (0xC0000064, 0xC000006A, 0xC0000234, 0xC0000072, 0xC000006F, 0xC0000070, 0xC0000193, 0xC0000071
0xC0000133, 0xC0000224,0xC0000225,0xc000015b), logon type (Interactive,Network,Batch,Service,Unlock,NetworkCleartext,NewCredentials,RemoteInteractive,CachedInteractive,CachedRemoteInteractive), but these helping to identity reason, but no solid recommendations to overlook any of these conditions. please help...
Post #5212
Posted 5/31/2016 6:51:57 PM
Supreme Being

Supreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 237, Visits: 0
A certain amount of noise is going to always be present. First check out this webinar https://www.ultimatewindowssecurity.com/webinars/register.aspx?id=244. It's hard to make a recommendation without understanding the environment and determining what's important to you. General strategies include determine what is important to you, look for surges in overall failures daily/weekly, look for surges in failures per user, look for surges in failures grouping by source, analyze failures for administrative users.
Post #5218
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 6:53am