Limit User-ID Agent queries to cerain Windows event-IDs

SBegass — Wed, 19 Nov 2025 13:26:14 GMT

We have been using PA-User-ID Agent for years an it was working fine. The Agent is connecting to Domain-Controller Log and maps user-name and ip-address of successful logins for firewall-policy usage.

Yesterday we changed GPOs on the Domain Controller to enable Kerberos-Ticket Logging and since then we received unwanted mappings: A user starting a RDP Session to a Server and logging on to the server with a different user-name (i.e. Tier-1 Admin). Then the local pc-ip address is mapped to the server-username and thus the local user to ip-mapping is beeing overwritten.

Is it possible to excempt certain Windows event-IDs (i.e. ID4768) from beeing queried, or explicitly setting the desired event-IDs for querying?

Re: Limit User-ID Agent queries to cerain Windows event-IDs

BPry — Tue, 25 Nov 2025 14:49:13 GMT

@SBegass,

I don't believe that it's possible to exclude certain event IDs that your agent can read. There's two common scenarios that you'll see for this issue, and that's either building your rulebase with the potential of seeing this admin account recognized or simply excluding those user IDs so you don't see them.

topic Re: Limit User-ID Agent queries to cerain Windows event-IDs in Next-Generation Firewall Discussions

Limit User-ID Agent queries to cerain Windows event-IDs

Re: Limit User-ID Agent queries to cerain Windows event-IDs