Forum Discussion
How to differentiate Success and Failure Audit logs in Security Events (for events like 4723)?
The builtin connector for Windows 'SecurityEvent' is not logging the property 'Keyword' which is generally used to classify the Security Events to Success and Failure Audit.
We have a requirement to build a detection rule based on the successful password change and reset. Relevant EventIDs are 4723 and 4724. However, these event IDs logs both Success and failure audit logs and the property that indicates whether it is Success or Failure audit is 'Keyword', which is not logged by the 'SecurityEvent' connector.
Is there any workaround for this?
9 Replies
Pernille-Eskebo how can we get this fixed?
- I guess this issue still dont have any exact solution . we have to wait
- There were only 15votes (see the link) - so I suspect that is too low for consideration at this time.
- we can definitely share link inside our community for more vote
VidhyaChristopher this is a known issue and is being looked at.
- This has been a known issue for almost 2.5 years now. Any idea when a fix will be available?
- https://feedback.azure.com/d365community/idea/4aa534ab-ac25-ed11-9db2-000d3a4d93f5 It looks like the request was declined. BTW, I'm no longer at Microsoft, so I don't know any more than the above.
- Is there any update on this one Clive? Does switching to AMA rectify the issue?
Thanks Thank your for the reseponseCliveWatson.Hope to see the solution soon!
