11-19-2025 05:26 AM
We have been using PA-User-ID Agent for years an it was working fine. The Agent is connecting to Domain-Controller Log and maps user-name and ip-address of successful logins for firewall-policy usage.
Yesterday we changed GPOs on the Domain Controller to enable Kerberos-Ticket Logging and since then we received unwanted mappings: A user starting a RDP Session to a Server and logging on to the server with a different user-name (i.e. Tier-1 Admin). Then the local pc-ip address is mapped to the server-username and thus the local user to ip-mapping is beeing overwritten.
Is it possible to excempt certain Windows event-IDs (i.e. ID4768) from beeing queried, or explicitly setting the desired event-IDs for querying?
11-25-2025 06:49 AM
I don't believe that it's possible to exclude certain event IDs that your agent can read. There's two common scenarios that you'll see for this issue, and that's either building your rulebase with the potential of seeing this admin account recognized or simply excluding those user IDs so you don't see them.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
