topic Re: Why are Win Event Logs (Security logs) (Win10) generating gigs of data related to SeBackupPrivilege? in Getting Data In

Why are Win Event Logs (Security logs) (Win10) generating gigs of data related to SeBackupPrivilege?

roguebmc — Mon, 12 Jun 2017 17:14:11 GMT

Has anyone seen an issue where Win Event Logs (Security logs) (Win10) are generating gigs of data related to SeBackupPrivilege?
Any idea why this is happening and how to fix it?

This is the log message:

LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4674
EventType=0
Type=Information
ComputerName=(Hostname)
TaskCategory=Sensitive Privilege Use
OpCode=Info
RecordNumber=1300748316
Keywords=Audit Success
Message=An operation was attempted on a privileged object.

Re: Why are Win Event Logs (Security logs) (Win10) generating gigs of data related to SeBackupPrivilege?

skalliger — Tue, 13 Jun 2017 12:16:30 GMT

Have you checked for duplicate RecordNumbers?
Because sometimes you get a ridiculous high amount of the same message.
Like this:

index=*active_directory* sourcetype=*whatever* 
| stats count by RecordNumber, _time, host 
| where count > 1

Skalli

Re: Why are Win Event Logs (Security logs) (Win10) generating gigs of data related to SeBackupPrivilege?

roguebmc — Wed, 14 Jun 2017 02:59:54 GMT

Thanks Skalli. I hadn't thought of that to be honest, so great point.

The high volume of alerts were primarily from one machine. Once we disabled auditing in the windows event log, it stopped the spamming. The root cause is actually any app that is accessing a 'privileged object' (in this case it's calling the WmiPrvSE.exe process, but can be many such as adobe updater), and that is triggering millions of events in the log. Event 4674 in this case. So that is what I need to focus on now.

Thanks for the response again.
Brian

Re: Why are Win Event Logs (Security logs) (Win10) generating gigs of data related to SeBackupPrivilege?

jpolcari — Fri, 18 May 2018 13:20:30 GMT

Curious to see if you found any more information on this. I'd like to not filter out the 4674 events but they are creating so many events that Splunk cannot keep up. For me, it is specifically the SeBackupPrivilege

Re: Why are Win Event Logs (Security logs) (Win10) generating gigs of data related to SeBackupPrivilege?

evolutionxtinct — Tue, 12 Jun 2018 21:36:04 GMT

Did anyone hear back on this? I'm getting the same issue but with chrome.exe and iexplorer.exe any guidance would be appreciated, thanks!

Re: Why are Win Event Logs (Security logs) (Win10) generating gigs of data related to SeBackupPrivilege?

jpolcari — Wed, 13 Jun 2018 16:42:54 GMT

I ended up disabling the auditing for the SeBackupPrivilege only.

Re: Why are Win Event Logs (Security logs) (Win10) generating gigs of data related to SeBackupPrivilege?

evolutionxtinct — Wed, 13 Jun 2018 16:45:46 GMT

Did you disable the SEBackupPrivilege through GPO or during splunk ingesting?

Re: Why are Win Event Logs (Security logs) (Win10) generating gigs of data related to SeBackupPrivilege?

jpolcari — Wed, 13 Jun 2018 16:47:19 GMT

I did that through GPO. I didn't find the event very useful for my environment so chose not to log it.