Has anyone seen an issue where Win Event Logs (Security logs) (Win10) are generating gigs of data related to SeBackupPrivilege?
Any idea why this is happening and how to fix it?
This is the log message:
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4674
EventType=0
Type=Information
ComputerName=(Hostname)
TaskCategory=Sensitive Privilege Use
OpCode=Info
RecordNumber=1300748316
Keywords=Audit Success
Message=An operation was attempted on a privileged object.
Thanks Skalli. I hadn't thought of that to be honest, so great point.
The high volume of alerts were primarily from one machine. Once we disabled auditing in the windows event log, it stopped the spamming. The root cause is actually any app that is accessing a 'privileged object' (in this case it's calling the WmiPrvSE.exe process, but can be many such as adobe updater), and that is triggering millions of events in the log. Event 4674 in this case. So that is what I need to focus on now.
Thanks for the response again.
Brian
Curious to see if you found any more information on this. I'd like to not filter out the 4674 events but they are creating so many events that Splunk cannot keep up. For me, it is specifically the SeBackupPrivilege
Did anyone hear back on this? I'm getting the same issue but with chrome.exe and iexplorer.exe any guidance would be appreciated, thanks!
I ended up disabling the auditing for the SeBackupPrivilege only.
Did you disable the SEBackupPrivilege through GPO or during splunk ingesting?
I did that through GPO. I didn't find the event very useful for my environment so chose not to log it.
Have you checked for duplicate RecordNumbers?
Because sometimes you get a ridiculous high amount of the same message.
Like this:
index=*active_directory* sourcetype=*whatever*
| stats count by RecordNumber, _time, host
| where count > 1
Skalli