Why do I have duplicated events?


SUMMARY

Snare Agents may replicate events across their domain controllers, and it's to do with the way Microsoft domains and events work, since Windows 2000.

In a multi domain server environment some client logs (not all) may end up on one or more domain controllers. The Snare agent just collects the logs from the local event log and sends them. So if the same events are appearing on other servers those local Snare agents will send the same log information. An agent on one server has no knowledge of what another agent is doing on another server. The enterprise agent just does the same thing. What their SIEM can do is correlate these as the same event if they want to or if they have that capability. Other than that they will just see duplicate events in their SIEM where the source of the events was sent from was different but the creation of the event was the same host/user.

This https://technet.microsoft.com/en-us/library/cc961787.aspx covers it in more detail. Some of this can be controlled by Windows AD policy and may be tuned to remove some duplicate events from occurring. A key extract from this link is important:

Urgent Replication of Account Lockout Changes
Account lockout is a security feature that sets a limit on the number of failed authentication attempts that are allowed before the account is "locked out" from a further attempt to log on, in addition to a time limit for how long the lockout is in effect.
In Windows 2000, account lockout is urgently replicated to the primary domain controller (PDC) emulator role owner and is then urgently replicated to the following:

  • Domain controllers in the same domain that are located in the same site as the PDC emulator.

  • Domain controllers in the same domain that are located in the same site as the domain controller that handled the account lockout.

  • Domain controllers in the same domain that are located in sites that have been configured to allow change notification between sites (and, therefore, urgent replication) with the site that contains the PDC emulator or with the site where the account lockout was handled. These sites include any site that is included in the same site link as the site that contains the PDC emulator or in the same site link as the site that contains the domain controller that handled the account lockout.