I have an alert for monitoring windows server logon success (event ID 4624) and already whitelisting all the authorized users in the alert rule but after a while, there is some alert showed up using domain NT AUTHORITY with account names like
SYSTEM and some
MSSQL services account with domain NT Service Logon. The logon type 5 (if I’m not mistaken this logon type is a service start) and from my research is NT AUTHORITY are some kind of the Local System account for Windows and it is safe because it was a built-in user.
Is it 100% safe to whitelist those accounts? or there are some threats that can occur from those accounts?