In our SIEM, we have a rule set up to alert on failed admin login attempts by endpoints. This works perfect for domain admin accounts. However, we use local admin accounts on the endpoints for making changes from helpdesk requests. Such as installing an application that went through approval or some apps require them for updates etc. However, an audit failure for “CachedInteractive” (logon type 11) shows up for the local admin account even when the authentication is successful.
I haven’t found a way to either prevent this cached interactive auth from happening/failing. The only other option I can see, is to tune out the logon type that’s causing the false positive. Has anyone had a similar problem they’ve resolved? Or does anyone have any thoughts on tuning out the Cached logon type and the implications of doing so?