- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Why are Win Event Logs (Security logs) (Win10)...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why are Win Event Logs (Security logs) (Win10) generating gigs of data related to SeBackupPrivilege?
Has anyone seen an issue where Win Event Logs (Security logs) (Win10) are generating gigs of data related to SeBackupPrivilege?
Any idea why this is happening and how to fix it?
This is the log message:
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4674
EventType=0
Type=Information
ComputerName=(Hostname)
TaskCategory=Sensitive Privilege Use
OpCode=Info
RecordNumber=1300748316
Keywords=Audit Success
Message=An operation was attempted on a privileged object.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Skalli. I hadn't thought of that to be honest, so great point.
The high volume of alerts were primarily from one machine. Once we disabled auditing in the windows event log, it stopped the spamming. The root cause is actually any app that is accessing a 'privileged object' (in this case it's calling the WmiPrvSE.exe process, but can be many such as adobe updater), and that is triggering millions of events in the log. Event 4674 in this case. So that is what I need to focus on now.
Thanks for the response again.
Brian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Curious to see if you found any more information on this. I'd like to not filter out the 4674 events but they are creating so many events that Splunk cannot keep up. For me, it is specifically the SeBackupPrivilege
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did anyone hear back on this? I'm getting the same issue but with chrome.exe and iexplorer.exe any guidance would be appreciated, thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I ended up disabling the auditing for the SeBackupPrivilege only.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you disable the SEBackupPrivilege through GPO or during splunk ingesting?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did that through GPO. I didn't find the event very useful for my environment so chose not to log it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you checked for duplicate RecordNumbers?
Because sometimes you get a ridiculous high amount of the same message.
Like this:
index=*active_directory* sourcetype=*whatever*
| stats count by RecordNumber, _time, host
| where count > 1
Skalli
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
