Forum

Ultimate Windows Security Forum » Security Log » 4672 - Special privileges assigned to new... » Possible to suppress EVID 4672?

Possible to suppress EVID 4672?

Rate Topic

Display Mode

Topic Options

Author

Message

jwalzer

Posted 1/5/2012 10:04:52 AM

Forum Member

Group: Forum Members
Last Login: 2/24/2012 7:49:27 PM
Posts: 26, Visits: 12

Randy,

In my SIM I'm seeing a ton of EVID 4762 being generated as events. Are there are other EVIDs that would take precedence over 4672 and as long as they're being flagged as events that would allow me to suppress 4672 as an event but still capture the log for forensic purposes?

Thx,
Jeff

Post #889

whsmith

Posted 2/20/2012 2:32:04 PM

Security Log Nerd

Group: Administrators
Last Login: 4/16/2009 1:11:51 PM
Posts: 49, Visits: 0

At the server level you can disable the Special Logon subcategory. As an an alternative most SIEM (SIM) software allows you to filter it out by the event number

Post #919

« Prev Topic | Next Topic »

Permissions

All times are GMT -5:00, Time now is 9:54am

Upcoming Webinars

AD Audits: Top 7 Questions to Answer When Auditors Look at Account Management and Access Control in Active Directory

Additional Resources

Home

Forum

User name:
Password:
	/ Forgot?
	Register

Home

About | Contact

Ultimate Windows Security is a division of Monterey Technology Group, Inc. ©2006-2008 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk.