2 Replies Latest reply on Nov 7, 2019 9:54 AM by jaredkeyes

    UserLogon / UserLogoff spam

    jnink

      I have been making an effort to get our LEM/SEM logs in order so we can start shaping and alerting the information it is giving us.  One problem I have run into is we are getting a huge number of UserLogon and UserLogoff events under both "Local Account Authentication/Changes" and "User Logons" under "Authentication".  I will see 3 or 4 copies of the same log hit SEM for the same user on the same remote server with the only difference ever being a slight change between DestinationLogonID.  I will attach a redacted example of a logon and logoff to this thread as an example. 

       

      How do you all deal with the constant logon/logoff events while still staying PCI or HIPAA compliant?

        • Re: UserLogon / UserLogoff spam
          jaredkeyes

          Signal boosting this question. I know it's a slightly older post, but I'm having the same issue. Usually it's with exchange or our DCs. We only have around 100 people in our company, but we can hit 9999+ logs in a matter of minutes with this logon/logoff spam. Any ideas on how to clean it up?

           

          Thanks,

          Jared