Description
This article describes that when the FSSO is configured in polling mode and registry filters are used, the FSSO Collector agent does not filter the logon events based on the registry filter when the Event IDs to Poll are set to 0,1 or 2 and the logon users list shows all the users.
Scope
FSSO, FortiGate.
Solution
Background :
When the FSSO is configured in polling mode and registry filters are used, the filters do not affect and can still see the logon users even though the event does not match the filter value.
Different sets are monitoring subsets of the event IDs and following shows which set monitors what event IDs:
- 0: polls: 672, 680, 4768, 4776. This is the default subset.
- 1: polls: 672, 673, 680, 4768, 4769, 4776.
- 2: polls: 672, 673, 680, 4768, 4769, 4776, 4624 (EventID 4624 was added to default polling in Windows 2016 for better support of MacOS and newer Windows server platforms).
- <EventID1;EventID2;...;EventIDn>: polls info from specific Event IDs or IDs. e.g 4768;4769;4624.
More information can be found here:
Technical Tip: Windows event IDs used by FSSO in WinSec polling mode
For example:
A registry filter is created for LogonType:(2|7|10) with event ID 4624. The Event IDs to the poll is set to 2.
One logon activity may create multiple logon events such as in our example event ID 4624 with Logon Type = 3, 4769, and 4768.
As it does not match the filter values, it should not register the logon event.
09/12/2023 16:40:41 [ 3084] [D][EPPoller]ApplyReFilter, RE not match:: EvtID=4624, Record=SubjectUserSid:S-1-0-0,SubjectUserName:-,SubjectDomainName:-,SubjectLogonId:0x0,TargetUserSid:S-1-5-21-90155476-3764056487-291651316-1105,TargetUserName:=test,TargetDomainName:xyz.com,TargetLogonId:0x57c15b7,LogonType:3,LogonProcessName:Kerberos,AuthenticationPackageName:Kerberos,WorkstationName:-,LogonGuid:{dadd948d-f1f7-7ed1-5471-7a18f9da14b9},TransmittedServices:-,LmPackageName:-,KeyLength:0,ProcessId:0x0,ProcessName:-,IpAddress:10.0.0.201,IpPort:60135
However, the collector agent still registered the logon event and shows the user under logon users.
Reason:
Set 2 as mentioned above is going to poll event IDs 672, 673, 680, 4768, 4769, 4776, and 4624.
The collector agent will poll 4624 and will try to match it with the configured registry filter.
However, the collector agent will also poll 4768 and 4769 and as there is no filter on it, it is going to register these logon event IDs.
Now, irrespective of the results of the registry filter of event ID 4624, the logon event may get registered.
To summarize, the process of polling and registering an event ID is an OR operation where if ANY one of the event IDs matches, it will register the event.
Solution:
In order to make the registry filter effective when multiple event IDs logon events are created, then use a specific event ID in the Event IDs to Poll as shown in the following event ID 4624 is used:
![eventid].png](/t5/image/serverpage/image-id/29323iB58C3DB7FC4AFA06/image-size/large/is-moderation-mode/true?v=v2&px=999 "eventid].png")
This is only going to poll the event ID 4624 and therefore be able to apply the filter on the event and register the logon event based on the results.
Related article:
Technical Tip: Use registry filters to filter Logon Events based on Event ID fields using Regular Ex...
