ANONYMOUS LOGON/NT AUTHORITY lots of activities

Question

Hello, I am still getting
"ANONYMOUS LOGON/NT AUTHORITY
Event ID 4780
IDM.Group.MemberChange
<Data Name='SubjectUserSid'>S-1-5-7</Data>
<Data Name='SubjectUserName'>ANONYMOUS LOGON</Data>
<Data Name='SubjectDomainName'>NT AUTHORITY</Data>
<Data Name='SubjectLogonId'>0x3e6</Data>
<Data Name='PrivilegeList'>-</Data></EventData>
Target User:niccore" logs even though I have removed niccorre from my Target User. And many continue to come. How can I get this resolved?

Answer 1

Hello @Blip Blop

It may seem that the account is still configured in some device, application or service and it will continue to connect as long it was configured to. What may help you here to detect where is the data.

Find the matching Logon event (probably Event ID 4624) and it's details should tell you where they're logging on from (IP address).

Also may help the details about the Logon Type, to identify the source (interactive logon, network logon, service...)
https://learn.microsoft.com/en-us/windows-server/identity/securing-privileged-access/reference-tools-logon-types

Hope this helps with your query,

--If the reply is helpful, please Upvote and Accept as answer--

Answer 2

Hello, @Limitless Technology

Thank you very much for your valuable feedback. When I got the control, I encountered an activity event that checked all accounts with administrative privileges. What will be your thoughts on this? Normally, I want to receive ACL Event ID 4780 events, but the ones that come to me are false positive. So actually, how can I go about an arrangement in my SIEM product? Will this create a security issue for me if I ignore those with Source user NT AUTHORITY/ANONYMOUS LOGON ? Or does it offer a positive solution?

Best regards.