Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why are Win Event Logs (Security logs) (Win10) generating gigs of data related to SeBackupPrivilege?

roguebmc
New Member
‎06-12-2017 10:14 AM

Has anyone seen an issue where Win Event Logs (Security logs) (Win10) are generating gigs of data related to SeBackupPrivilege?
Any idea why this is happening and how to fix it?

This is the log message:

LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4674
EventType=0
Type=Information
ComputerName=(Hostname)
TaskCategory=Sensitive Privilege Use
OpCode=Info
RecordNumber=1300748316
Keywords=Audit Success
Message=An operation was attempted on a privileged object.
0 Karma
Reply

roguebmc
New Member
‎06-13-2017 07:59 PM

Thanks Skalli. I hadn't thought of that to be honest, so great point.

The high volume of alerts were primarily from one machine. Once we disabled auditing in the windows event log, it stopped the spamming. The root cause is actually any app that is accessing a 'privileged object' (in this case it's calling the WmiPrvSE.exe process, but can be many such as adobe updater), and that is triggering millions of events in the log. Event 4674 in this case. So that is what I need to focus on now.

Thanks for the response again.
Brian

0 Karma
Reply

jpolcari
Communicator
‎05-18-2018 06:20 AM

Curious to see if you found any more information on this. I'd like to not filter out the 4674 events but they are creating so many events that Splunk cannot keep up. For me, it is specifically the SeBackupPrivilege

0 Karma
Reply

evolutionxtinct
Explorer
‎06-12-2018 02:36 PM

Did anyone hear back on this? I'm getting the same issue but with chrome.exe and iexplorer.exe any guidance would be appreciated, thanks!

0 Karma
Reply

jpolcari
Communicator
‎06-13-2018 09:42 AM

I ended up disabling the auditing for the SeBackupPrivilege only.

Reply

evolutionxtinct
Explorer
‎06-13-2018 09:45 AM

Did you disable the SEBackupPrivilege through GPO or during splunk ingesting?

0 Karma
Reply

jpolcari
Communicator
‎06-13-2018 09:47 AM

I did that through GPO. I didn't find the event very useful for my environment so chose not to log it.

0 Karma
Reply

skalliger
Motivator
‎06-13-2017 05:16 AM

Have you checked for duplicate RecordNumbers?
Because sometimes you get a ridiculous high amount of the same message.
Like this:

index=*active_directory* sourcetype=*whatever* 
| stats count by RecordNumber, _time, host 
| where count > 1

Skalli

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...