I am having an issue with 1 PC in particular that is activating the Policy View rule. I created a custom email so that i knew what pc this was activating on email and it lists both the Detection IP and the Insertion IP. When it comes to the email it is saying
"the start type of the windows modules installer service was changed from auto start to demand start. at 2017-11-30 15:50:11.0.
BUT when looking at the same alert in nDepth it tells me
Event Name: PolicyModify
EventInfo: The start type of the Windows Modules Installer service was changed from demand start to auto start. InsertionIP: Nick_72.DOMAIN.com
Manager: swi-lem DetectionIP: Nick_72.DOMAIN.com InsertionTime: 15:50:11 Wed Nov 30 2017 DetectionTime: 15:50:11 Wed Nov 30 2017
Severity: 4 ToolAlias: Windows System InferenceRule: ProviderSID: Service Control Manager 7040 ExtraneousInfo: DestinationDomain:
SourceAccount: SYSTEM SourceDomain: SourceLogonID: DestinationDomainID: SourceMachine:
ChangeDetails: The start type of the Windows Modules Installer service was changed from demand start to auto start. IsThreat: false
But i don't understand why the rule is activating as the PC name hasn't ever actually changed. I am getting this email about twice an hour. My confusion is coming down to the fact that within nDepth it shows the same names exactly but within the email it is lower casing all the characters in the Detection IP field. I have the email setup to follow the order of Insertion IP and then Detection IP. Can someone please help me figure what I am doing wrong.
*Actual PC name/domain has been changed but the formating is exactly as written.