4624 Type 3 Filtering Help Expand / Collapse
Author
Message
Posted 1/8/2020 11:05:41 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 1/8/2020 10:53:37 AM
Posts: 1, Visits: 0
Hi,

I am fairly new to this and am attempting to filter out 4624 type 3 events that are not generated by the user logging in interactively. My domain is using Kerberos, ADFS, single sing on, and possibly more. Is there a way to correlate the type 2 logon to the type 3 that is logged on the DC? I have tried narrowing down with the TGT request event 4768 however this also seems unreliable due to the life of the ticket at times. There is so much noise from the 4624 type 3 logons from all users/devices and I need some guidance or reading material that might point me in the right direction.

The SEIM I'm using should be able to parse out the logs, I'm just not sure of which field would work well for narrowing down the interactive logs and if that field is currently parsed.

Regards,
Kyto
Post #8613
Posted 5/24/2020 12:13:46 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 5/25/2020 8:09:09 AM
Posts: 3, Visits: 3
Hi, i think you are facing the same problem for filtering.
I am thinking of the following filter at the moment for suppressing the events with WEC Subscription.

I will write it in psoydo-code, becuase i do not have afilter in place right now.



I think the logon TYPE of a Computer Account (which always ends with $, perhaps the domain follows) is always logon_type 3.

This Filter would reduce the log amount by 45%.
i am thinking about an additonal condition with SID: S-1-5-18
but the reduction will only lead into 4.5%

I am very interested in your thoughts
Post #8640
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 12:50am