deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-21 13:23:36 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Update event-4673.md

Browse Source
This commit is contained in:
Benny Shilpa
2022-01-07 14:59:50 +05:30
committed by GitHub
parent b631833ee6
commit 5fc5424cef
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
windows/security/threat-protection/auditing/event-4673.md
View File

@ -173,7 +173,7 @@ For 4673(S, F): A privileged service was called.
> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
- Monitor for this event where “**Subject\\Security ID**” is *not* one of these well-known security principals: LOCAL SYSTEM, NETWORK SERVICE, LOCAL SERVICE, and where “**Subject\\Security ID**” is not an administrative account that is expected to have the listed **Privileges**. Especially monitor Failure events.
- Monitor for this event where “**Subject\\Security ID**” is *not* one of these well-known security principals: LOCAL SYSTEM, NETWORK SERVICE, LOCAL SERVICE, and where “**Subject\\Security ID**” is not an administrative account that is expected to have the listed **Privileges**. See subcategories [Audit Sensitive Privilege Use](/windows/security/threat-protection/auditing/audit-sensitive-privilege-use) and [Audit Non Sensitive Privilege Use](/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use) for more details.
- If you need to monitor events related to specific Windows subsystems (“**Service\\Server**”), for example **NT Local Security Authority / Authentication Service** or **Security Account Manager**, monitor this event for the corresponding “**Service\\Server**.”