While the import job is running, sometimes we are seeing a wrong account in the security log (Chinese characters). Why do we have this behavior?
Here's a sample of the security log from the Windows server:
<13>Oct 21 04:42:48 10.116.24.130 AgentDevice=WindowsLog AgentLogFile=Security PluginVersion=7.2.4.86 Source=Microsoft-Windows-Security-Auditing Computer=SERVER01.XYZ.CORP.COM OriginatingComputer=10.150.XX.130 User= Domain= EventID=4648 EventIDCode=4648 EventType=8 EventCategory=12544 RecordNumber=111333026 TimeGenerated=1634805767 TimeWritten=1634805767 Level=0 Keywords=0 Task=0 Opcode=0 Message=A logon was attempted using explicit credentials. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x860f Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 䱔杯楆敬敓敶楲 Account Domain: T Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: SERVER01.XYZ.CORP.COM Additional Information: SERVER01.XYZ.CORP.COM Process Information: Process ID: 0x7dc Process Name: C:\Program Files (x86)\CA\Identity Manager\Connector Server\ccs\bin\im_ccs.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Only the admin account for the connector server should be running im_ccs.exe, so the attempt by the Chinese user account does seem to be suspicious. There is nothing in the Broadcom Identity product that can cause an unauthorized account to log in or RUNAS, so please contact your Windows administrators and your network security teams to investigate further how the user is attempting to log on.