locked
Reduce event noise in the Security log RRS feed

  • Question

  • Is there a way to to reduce the amount of security log / Credential Validation success events?

    Our monitoring system is alerting 10 to 20 times every few minutes

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          3/21/2019 7:21:33 AM
    Event ID:      4776
    Task Category: Credential Validation
    Level:         Information
    Keywords:      Audit Success
    User:          N/A
    Computer:      DC1
    Description:
    The computer attempted to validate the credentials for an account.

    Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    Logon Account: User1
    Source Workstation: Monitor1
    Error Code: 0x0
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
        <EventID>4776</EventID>
        <Version>0</Version>
        <Level>0</Level>
        <Task>14336</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8020000000000000</Keywords>
        <TimeCreated SystemTime="2019-03-21T13:21:33.329184600Z" />
        <EventRecordID>117861885</EventRecordID>
        <Correlation />
        <Execution ProcessID="528" ThreadID="5672" />
        <Channel>Security</Channel>
        <Computer>DC1</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="PackageName">MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data>
        <Data Name="TargetUserName">User1</Data>
        <Data Name="Workstation">Monitor1</Data>
        <Data Name="Status">0x0</Data>
      </EventData>
    </Event>

    I found the following from Solar winds but its not working

    auditpol /set /user:User1 /exclude /subcategory:"Credential Validation"

    Is there away to exclude events by user or by workstation?

    Thanks


    Thursday, March 21, 2019 1:49 PM