How to differentiate Success and Failure Audit logs in Security Events (for events like 4723)?

Copper Contributor

The builtin connector for Windows 'SecurityEvent' is not logging the property 'Keyword' which is generally used to classify the Security Events to Success and Failure Audit.


We have a requirement to build a detection rule based on the successful password change and reset. Relevant EventIDs are 4723 and 4724. However, these event IDs logs both Success and failure audit logs and the property that indicates whether it is Success or Failure audit is 'Keyword', which is not logged by the 'SecurityEvent' connector.


Is there any workaround for this?


9 Replies

Thank your for the reseponse@CliveWatson.Hope to see the solution soon!

Is there any update on this one Clive? Does switching to AMA rectify the issue?

This has been a known issue for almost 2.5 years now. Any idea when a fix will be available? It looks like the request was declined. BTW, I'm no longer at Microsoft, so I don't know any more than the above.
I guess this issue still dont have any exact solution . we have to wait
There were only 15votes (see the link) - so I suspect that is too low for consideration at this time.
we can definitely share link inside our community for more vote