Environment
- Carbon Black Cloud: All Supported Sensors
- Microsoft Windows: Windows 10 and 11
Symptoms
The "Remote Device" value in the Auth Events being populated by the local computer name
Cause
The sensor is populating this from information provided by the OS Event ID 4624 which is displaying the incorrect value
Resolution
- Per this article the "Workstation Name" should be populated by the machine name from which a logon attempt was performed
- For an unknown reason Windows may populate this value with the local machine name instead
- No known resolution at this time please reach out to Microsoft if additional information is needed
Related Content