@terracatta k2 seems to be generating a lot of event id 4798 (group enumeration) on a particular server (10x higher than other machines) - do you know what could cause it to do this?

Hi @hilt does this device happen to have a lot of users? Is it something like a domain controller?

This has come up previously… There are a couple of API calls osquery uses to populate user and process data that trigger that. Some of the windows folks recommend disabling that particular event log — it has a lot of false positive hits. I recorded some of the details into https://github.com/osquery/osquery/issues/5840 a prior time. But this exceeds my windows knowledge pretty fast