Windows Audit Logging, trying to exclude SEP but no username present in entries
Scenario: Object Audit level logging with Symantec EndPoint Protection being sent to SIEM solution.
Objective: Prevent AV Scans from flooding SIEM
Problem: Windows Audit Policy (auditpol) can exclude based on username but not based on process name. Symantec scans generate security logs but do not have a username associated with them. At scan time, SIEM solution becomes inundated with events from scans.
Sample (notice the User= is BLANK)
<13>Jan 22 12:19:42 HOSTNAME
Message=An attempt was made to access an object.
Security ID: NT AUTHORITY\SYSTEM
Account Name: HOSTNAME$
Account Domain: CORP
Logon ID: 0x3e7
Object Server: Security
Object Type: File
Object Name: C:\Windows\ehome\ehshell.dll
Handle ID: 0x2c0
Process ID: 0xbec
Process Name: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe
Access Request Information:
Access Mask: 0x100