The Auth Events Remote Device Name is the Name of the Local Device
Article ID: 291324
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
The "Remote Device" value in the Auth Events being populated by the local computer name
Environment
- Carbon Black Cloud: All Supported Sensors
- Microsoft Windows: Windows 10 and 11
Cause
The sensor is populating this from information provided by the OS Event ID 4624 which is displaying the incorrect value
Resolution
- Per this article the "Workstation Name" should be populated by the machine name from which a logon attempt was performed
- For an unknown reason Windows may populate this value with the local machine name instead
- No known resolution at this time please reach out to Microsoft if additional information is needed
Feedback
Yes
No
Powered by
