How to differentiate Success and Failure Audit logs in Security Events (for events like 4723)?

%3CLINGO-SUB%20id%3D%22lingo-sub-1978489%22%20slang%3D%22en-US%22%3EHow%20to%20differentiate%20Success%20and%20Failure%20Audit%20logs%20in%20Security%20Events%20(for%20events%20like%204723)%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1978489%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20builtin%20connector%20for%20Windows%20'SecurityEvent'%20is%20not%20logging%20the%20property%20'Keyword'%20which%20is%20generally%20used%20to%20classify%20the%20Security%20Events%20to%20Success%20and%20Failure%20Audit.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20a%20requirement%20to%20build%20a%20detection%20rule%20based%20on%20the%20successful%20password%20change%20and%20reset.%20Relevant%20EventIDs%20are%204723%20and%204724.%20However%2C%20these%20event%20IDs%20logs%20both%20Success%20and%20failure%20audit%20logs%20and%20the%20property%20that%20indicates%20whether%20it%20is%20Success%20or%20Failure%20audit%20is%20'Keyword'%2C%20which%20is%20not%20logged%20by%20the%20'SecurityEvent'%20connector.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20any%20workaround%20for%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1978804%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20differentiate%20Success%20and%20Failure%20Audit%20logs%20in%20Security%20Events%20(for%20events%20like%204723)%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1978804%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F898466%22%20target%3D%22_blank%22%3E%40VidhyaChristopher%3C%2FA%3E%26nbsp%3Bthis%20is%20a%20known%20issue%20and%20is%20being%20looked%20at.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

The builtin connector for Windows 'SecurityEvent' is not logging the property 'Keyword' which is generally used to classify the Security Events to Success and Failure Audit.

 

We have a requirement to build a detection rule based on the successful password change and reset. Relevant EventIDs are 4723 and 4724. However, these event IDs logs both Success and failure audit logs and the property that indicates whether it is Success or Failure audit is 'Keyword', which is not logged by the 'SecurityEvent' connector.

 

Is there any workaround for this?

 

2 Replies

Thank your for the reseponse@Clive Watson.Hope to see the solution soon!