Hi Brad,
My guess is you have extended auditing enabled. Both of these alerts are
typical of access requests (file handles) or successful use of privs - in
both cases, I would be more interested in failed use of privs and/or
blocked access. However, you have to judge for your environment. Without
knowing everything about your setup, I would say you could probably safely
ignore these for now, then focus on the rest of the alerts to try to get a
clear understanding of what "normal" is.
Cheers
Kat
On Friday, July 8, 2016 at 2:34:20 PM UTC-5, Brad Carey wrote:
>
> We have deployed OSSEC company wide to probably 60-80 PCs and servers.
> Problem is our hourly emails are 4-5MB, way too much to wade through. The
> vast majority of the events are Event ID 4656, with a good number of Event
> ID 4673 too. How do I determine whether or not I can suppress all of these
> from the alert emails? I don't mean in the technical sense, but security
> sense. Might these particular events ever be thrown when there is malicious
> activity?
>
> Thanks!
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.