Issue:
When looking at an forwarded Windows system event from the Events > Security Events page in the Elements portal, the reported user name shown in the Details drop-down does not match what is reported in the file downloaded using the Event XML: Download XML link or the system event itself when looked locally from the Windows Event Viewer
For example, in a Event ID: 4625 "An account failed to log on" event, The User Name and Principal User Name do not match with the actual account which failed to log on. Why is the wrong username listed in the detection details?
Other Event ID:s which have the same issue:
- A user account was locked out. Event ID: 4740, event source: Microsoft-Windows-Security-Auditing.
Resolution:
The User name and Principal User Name in the Details section in the Security Alert do not refer to the affected user of the alert, they are just information taken from the Device details page in the portal of the last successfully logged in user.
You need to click on the Event XML: Download XML link to view the details of the actual user for this system event.
Article no: 000042747