This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 71%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAB%3C/text%3E%3C/svg%3E)
Hi
We have enabled the patches for Aug 2020 for Zero logon , after that I am getting High number of events from event id 5829.
Not able to detect the true positive. Its flooding in SIEM .
Event Name : The Netlogon service allowed a vulnerable Netlogon secure channel connection
In event I can able to see the logs categeory system and subcategeory Netlogon and Source is DC.
Need to know how to detect true positive out of it.
Regards
Admin
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
On the problem member you can do from PowerShell.
Test-ComputerSecureChannel
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/test-computersecurechannel?view=powershell-5.1
--please don't forget to Accept as answer if the reply is helpful--
Hello @Aamir Bin Jamal ,
Thank you for posting here.
Based on the description, do we want to find the device accounts or trust accounts through Event ID 5829?
If so, we can see as below based on the link below.
How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472
https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc
If anything I misunderstood you, please correct me.
Thank you for your understanding.
Best Regards,
Daisy Zhou
Hi Daisy and Patrick
Thanks for your response its helpful .
@Daisy : I am also getting the same set of fields as you mentioned here .
But the information is not much to analyze the true positive . I am getting same SAM Account name and DC name in all my events.
Can you please help me in correlating this alert with others to get correct results.
regards
Admin
Hello @Aamir Bin Jamal ,
Thank you for your update.
By default, supported versions of Windows that have been fully updated should not be using vulnerable Netlogon secure channel connections. If one of these events is logged in the system event log for a Windows device:
1.Confirm that the device is running a supported versions of Windows.
2.Ensure the device is fully updated.
3.Check to ensure that Domain member: Digitally encrypt or sign secure channel data (always) is set to Enabled.
Would you please tell us how we check the result is incorrect?
Thank you for your understanding and time.
Best Regards,
Daisy Zhou