Hello. We've recently started logging all info from in-scope (for PCI DSS compliance) windows Server 2008 R2 servers and I am configuring alerting on certain types of event ID, one of them being 4624. I am getting about 1500 - 2000 alerts a day on this event
ID alone and of that amount, 95% are ones like below. Are these just noise, the servers talking to one another? I really need to supress these types of alerts. I only need to know when users logon and logoff or have failed logons. I am employing the Advanced
Audit Policy config and was hoping that I could supress these via that but could not see where to do that. First inclination was in the Account Logon section, which contains the Audit Kerberos Authentication Service and Audit Kerberos Service Ticket Operations
items but these don't generate the 4624. Thanks in advance!
SubjectUserSid S-1-0-0
SubjectUserName -
SubjectDomainName -
SubjectLogonId 0x0
TargetUserSid S-1-5-21-903162274-1763063872-709122288-14066
TargetUserName SERVER$
TargetDomainName DOMAIN
TargetLogonId 0x9781115
LogonType 3
LogonProcessName Kerberos
AuthenticationPackageName Kerberos
WorkstationName
LogonGuid {F7B984DF-8123-3088-1A90-059DBAC2067F}
TransmittedServices -
LmPackageName -
KeyLength 0
ProcessId 0x0
ProcessName -
IpAddress 192.168.3.22
IpPort 63513