cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to differentiate Success and Failure Audit logs in Security Events (for events like 4723)?

VidhyaChristopher
Copper Contributor

‎Dec 10 2020 09:38 PM

‎Dec 10 2020 09:38 PM

How to differentiate Success and Failure Audit logs in Security Events (for events like 4723)?

The builtin connector for Windows 'SecurityEvent' is not logging the property 'Keyword' which is generally used to classify the Security Events to Success and Failure Audit.

 

We have a requirement to build a detection rule based on the successful password change and reset. Relevant EventIDs are 4723 and 4724. However, these event IDs logs both Success and failure audit logs and the property that indicates whether it is Success or Failure audit is 'Keyword', which is not logged by the 'SecurityEvent' connector.

 

Is there any workaround for this?

 

3,016 Views
0 Likes
9 Replies
Reply
9 Replies
CliveWatson

‎Dec 11 2020 12:38 AM

‎Dec 11 2020 12:38 AM

Re: How to differentiate Success and Failure Audit logs in Security Events (for events like 4723)?

@VidhyaChristopher this is a known issue and is being looked at.  

0 Likes
Reply
VidhyaChristopher

‎Dec 13 2020 05:02 AM

‎Dec 13 2020 05:02 AM

Re: How to differentiate Success and Failure Audit logs in Security Events (for events like 4723)?

Thank your for the reseponse@CliveWatson.Hope to see the solution soon!

0 Likes
Reply
Manb4t

‎Jul 20 2021 10:03 AM

‎Jul 20 2021 10:03 AM

Re: How to differentiate Success and Failure Audit logs in Security Events (for events like 4723)?

Is there any update on this one Clive? Does switching to AMA rectify the issue?

Thanks
0 Likes
Reply
grmccauley

‎Apr 12 2023 12:20 PM

‎Apr 12 2023 12:20 PM

Re: How to differentiate Success and Failure Audit logs in Security Events (for events like 4723)?

This has been a known issue for almost 2.5 years now. Any idea when a fix will be available?
0 Likes
Reply
Clive_Watson

‎Apr 13 2023 02:20 AM

‎Apr 13 2023 02:20 AM

Re: How to differentiate Success and Failure Audit logs in Security Events (for events like 4723)?

https://feedback.azure.com/d365community/idea/4aa534ab-ac25-ed11-9db2-000d3a4d93f5 It looks like the request was declined. BTW, I'm no longer at Microsoft, so I don't know any more than the above.
0 Likes
Reply
SABBIR_RUBAYAT

‎Apr 13 2023 03:00 AM

‎Apr 13 2023 03:00 AM

Re: How to differentiate Success and Failure Audit logs in Security Events (for events like 4723)?

I guess this issue still dont have any exact solution . we have to wait
1 Like
Reply
Clive_Watson

‎Apr 13 2023 03:18 AM

‎Apr 13 2023 03:18 AM

Re: How to differentiate Success and Failure Audit logs in Security Events (for events like 4723)?

There were only 15votes (see the link) - so I suspect that is too low for consideration at this time.
0 Likes
Reply
SABBIR_RUBAYAT

‎Apr 15 2023 10:28 AM

‎Apr 15 2023 10:28 AM

Re: How to differentiate Success and Failure Audit logs in Security Events (for events like 4723)?

we can definitely share link inside our community for more vote
1 Like
Reply