SOC Event Lookup
Event ID 4675KerberosP3

Windows Event ID 4675: SIDs were filtered

Windows Security Event ID 4675 records that SIDs were filtered for an Active Directory trust.

Applicable version
Windows Server 2008 and later
Last reviewed
2026-07-13

Trigger Scenarios

The event is generated on a domain controller when SID filtering is applied for a specific trust and SIDs are removed from the authorization data.

Key Fields

Filtered SIDs

The SIDs removed by trust filtering. Unexpected privileged-domain SIDs in this field show that the trust boundary blocked attempted privilege projection.

Trust Direction / Trust Attributes / Trust Type

Trust metadata that identifies which relationship performed the filtering. Use it to determine whether the event belongs to an external, forest, or other configured trust.

TDO Domain SID

The trusted-domain object domain SID. It anchors the filtered SID list to the trust relationship being evaluated.

Common False Positives

  • Normal SID filtering can occur on configured external or forest trusts and may simply confirm the trust boundary is working.
  • Trust migrations and domain consolidation projects can produce expected filtering events.

Related Events

MITRE ATT&CK Mapping

  • T1134.005Access Token Manipulation: SID-History Injection

Detection Notes

Use threshold=1 for 4675 on high-value trusts because the event is already the domain controller reporting that SIDs were filtered. It supports T1134.005 triage when Filtered SIDs contains privileged or foreign-domain SIDHistory values, since SID-History Injection attempts to project extra SIDs into the token and trust SID filtering removes them. Correlate the same trust to recent 4765 or 4766 SID History changes and 4716 trust modifications before treating the event as malicious rather than expected boundary enforcement.

Microsoft Sentinel KQL
SecurityEvent
| where EventID == 4675
| project TimeGenerated, Computer, TargetUserName, TargetDomainName, TrustDirection, TrustAttributes, TrustType, FilteredSids
Splunk SPL
index=wineventlog EventCode=4675
| table _time, host, TargetUserName, TargetDomainName, TrustDirection, TrustAttributes, TrustType, FilteredSids
Sample Log
Target Account:
  Account Name: alice
Trust Information:
  Trust Direction: Inbound
  Trust Attributes: FOREST_TRANSITIVE
  Trust Type: Forest
  TDO Domain SID: S-1-5-21-1000-2000-3000
  Filtered SIDs: S-1-5-21-4000-5000-6000-512

Source