ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Receive many 8015: Event Tracing for Windows (ETW) leading to excessive LOE from analysts

book

Article ID: 226933

calendar_today

Updated On:

Products

Advanced Threat Protection Platform

Issue/Introduction

Many "8015: Event Tracing for Windows (ETW)" Incidents lead to excessive Loss Of Effectiveness from our security analysts. 

Environment

EDR Release : 4.6.0

EDR Add-On for Splunk 1.5.0

QRADAR or Splunk receives log events from EDR

 

Resolution

 

                                                                                                                                                                                                                          
- Support identified the following possible approaches to responding to the flood of "Multiple failed logon..." Incidents
  -- OPTION 1: Use a Recorder Rule to Not Record ETW events for lsass.exe 
     Pros: The flood of lsass-related events and Incidents would stop.
           Visibility of all ETW events from all other executables will remain intact.
           A Recorder Rule would reduce CPU and storage resources in use at EDR and QRADAR for recording lsass-related ETW events.
           Least effort for highest targeted effect.
           Another BROADCOM Software product in the Endpoint Security portfolio can be installed to investigate logon accesses.
              See: https://techdocs.broadcom.com/content/dam/broadcom/techdocs/symantec-security-software/endpoint-security-and-management/threat-defense-for-active-directory/generated-pdfs/Symantec_Endpoint_Threat_Defense_for_Active_Directory_3.6_Installation_Guide.pdf
     Cons: Global impact - all ETW events from c:\windows\system32\lsass.exe would be discarded before entering EDR or Splunk.


  -- OPTION 2: Disable the Incident Rule
     Pros: The flood of lsass-related Incidents would stop.
           ETW events would continue to be available in EDR and Splunk for SOC investigations.
     Cons: ETW events would continue to consume CPU and storage within both EDR and Splunk.
     Method: In an ETW related Incident, click a Triggering Event to expand. Identify the threat.id or bash.virus_id. On the Incident Rules tab on the Incidents, search for the threat.id or bash.virus_id. On the right side of the row, click the ellipses (...), then click Disable. 


  -- OPTION 3: Use a Recorder Exception to turn off ETW for a Client Group containing only the AD servers
      Pros: The flood of lsass-related events and Incidents would stop.
            Turning off ETW for a SEP client group containing AD servers would reduce CPU and storage resources in use at EDR and QRADAR for recording lsass-related ETW events.
      Cons: This approach would result in all ETW events being discarded for the client group, not just Logon events from the AD servers hosting the Global Catalog.