Authentication suppression rule may be a little aggressive for some

[uplateandonline]

Hi team,

Thanks for the work on this. Just FYI, we noticed that this actually means that UAC logins (in the form of 4624 events) don't get forwarded. We decided to change this as often analysts might just search for 4624 events to see where an account has been used (noting that's not ideal). So we flipped this suppress rule so all 4624s are collected regardless of SID. It does increase the volume a bit, but we think it's worth it.

Might be worth placing a comment up the top of the subscription policy (it took us a while to find) if you are intending to leave it as is.

Thanks!

[Beercow]

If you change Suppress Path="Security">[EventData[Data[1]="S-1-5-18"]]</Suppress> To Suppress Path="Security">[EventData[Data[5]="S-1-5-18"]]</Suppress> It cuts down on System events without losing insight as to where users are logging in.