cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Microsoft Secure Tech Accelerator
Apr 13 2023, 07:00 AM - 12:00 PM (PDT)
Microsoft Tech Community
Find out more

How to differentiate Success and Failure Audit logs in Security Events (for events like 4723)?

VidhyaChristopher
New Contributor

‎Dec 10 2020 09:38 PM

‎Dec 10 2020 09:38 PM

How to differentiate Success and Failure Audit logs in Security Events (for events like 4723)?

The builtin connector for Windows 'SecurityEvent' is not logging the property 'Keyword' which is generally used to classify the Security Events to Success and Failure Audit.

 

We have a requirement to build a detection rule based on the successful password change and reset. Relevant EventIDs are 4723 and 4724. However, these event IDs logs both Success and failure audit logs and the property that indicates whether it is Success or Failure audit is 'Keyword', which is not logged by the 'SecurityEvent' connector.

 

Is there any workaround for this?

 

1,106 Views
0 Likes
3 Replies
Reply
3 Replies
CliveWatson

‎Dec 11 2020 12:38 AM

‎Dec 11 2020 12:38 AM

Re: How to differentiate Success and Failure Audit logs in Security Events (for events like 4723)?

@VidhyaChristopher this is a known issue and is being looked at.  

0 Likes
Reply
VidhyaChristopher

‎Dec 13 2020 05:02 AM

‎Dec 13 2020 05:02 AM

Re: How to differentiate Success and Failure Audit logs in Security Events (for events like 4723)?

Thank your for the reseponse@CliveWatson.Hope to see the solution soon!

0 Likes
Reply
Manb4t

‎Jul 20 2021 10:03 AM

‎Jul 20 2021 10:03 AM

Re: How to differentiate Success and Failure Audit logs in Security Events (for events like 4723)?

Is there any update on this one Clive? Does switching to AMA rectify the issue?

Thanks
0 Likes
Reply