KB 240103: False positive in Logon Failure Template associated with Computer activity
Issue: Logon Failure Template does not filter out computer accounts which are known 'noise' issue
Symptoms: Unexpected Alerts from computer accounts
Cause: Rules are filtered generically against EventID
Scope: Security Templates 3.0.6500.0
Product/s: Windows Security Auditor
Resolution
Modify the template created rules to include additional expression or disable rule
Filter Expression: Where Parameter1 Does Not Contain $
Hint: All Template created rules and monitors include a name suffix of [Template Created]
|
|
|
|