July 21, 2021

SIEM Tuning windows local authentication

In our SIEM, we have a rule set up to alert on failed admin login attempts by endpoints. This works perfect for domain admin accounts. However, we use local admin accounts on the endpoints for making changes from helpdesk requests. Such as installing an application that went through approval or some apps require them for updates etc. However, an audit failure for “CachedInteractive” (logon type 11) shows up for the local admin account even when the authentication is successful.

I haven’t found a way to either prevent this cached interactive auth from happening/failing. The only other option I can see, is to tune out the logon type that’s causing the false positive. Has anyone had a similar problem they’ve resolved? Or does anyone have any thoughts on tuning out the Cached logon type and the implications of doing so?

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.