Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why are Win Event Logs (Security logs) (Win10) generating gigs of data related to SeBackupPrivilege?

roguebmc
New Member
‎06-12-2017 10:14 AM

Has anyone seen an issue where Win Event Logs (Security logs) (Win10) are generating gigs of data related to SeBackupPrivilege?
Any idea why this is happening and how to fix it?

This is the log message:

LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4674
EventType=0
Type=Information
ComputerName=(Hostname)
TaskCategory=Sensitive Privilege Use
OpCode=Info
RecordNumber=1300748316
Keywords=Audit Success
Message=An operation was attempted on a privileged object.
0 Karma
Reply

roguebmc
New Member
‎06-13-2017 07:59 PM

Thanks Skalli. I hadn't thought of that to be honest, so great point.

The high volume of alerts were primarily from one machine. Once we disabled auditing in the windows event log, it stopped the spamming. The root cause is actually any app that is accessing a 'privileged object' (in this case it's calling the WmiPrvSE.exe process, but can be many such as adobe updater), and that is triggering millions of events in the log. Event 4674 in this case. So that is what I need to focus on now.

Thanks for the response again.
Brian

0 Karma
Reply

jpolcari
Communicator
‎05-18-2018 06:20 AM

Curious to see if you found any more information on this. I'd like to not filter out the 4674 events but they are creating so many events that Splunk cannot keep up. For me, it is specifically the SeBackupPrivilege

0 Karma
Reply

evolutionxtinct
Explorer
‎06-12-2018 02:36 PM

Did anyone hear back on this? I'm getting the same issue but with chrome.exe and iexplorer.exe any guidance would be appreciated, thanks!

0 Karma
Reply

jpolcari
Communicator
‎06-13-2018 09:42 AM

I ended up disabling the auditing for the SeBackupPrivilege only.

Reply

evolutionxtinct
Explorer
‎06-13-2018 09:45 AM

Did you disable the SEBackupPrivilege through GPO or during splunk ingesting?

0 Karma
Reply

jpolcari
Communicator
‎06-13-2018 09:47 AM

I did that through GPO. I didn't find the event very useful for my environment so chose not to log it.

0 Karma
Reply

skalliger
Motivator
‎06-13-2017 05:16 AM

Have you checked for duplicate RecordNumbers?
Because sometimes you get a ridiculous high amount of the same message.
Like this:

index=*active_directory* sourcetype=*whatever* 
| stats count by RecordNumber, _time, host 
| where count > 1

Skalli

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...