Rule 59222
Status	Active
Alert Message	Logon Failure - Specified account expired

Contents 1 Description 1.1 Associated Windows Event IDs 1.2 What you should do 2 Troubleshooting 2.1 False Positives 2.2 Tuning Guidance 3 Additional Information 3.1 Support 3.2 Similar Rules 3.3 Knowledge Base Articles 3.4 Outside References 3.5 Notes

[edit] Description

Windows has detected that someone or something has attempted to log into an account that has expired.

[edit] Associated Windows Event IDs

• 529
• 530
• 531
• 532
• 533
• 534
• 535
• 536
• 537
• 539
• 4625

[edit] What you should do

This may indicate that an unauthorized party is attempt to access a dormant account that has expired, this may indicate an attack is in progress and this event should be investigated. Check the GUI for additional events from the source to determine if this is part of a larger effort to gain access to your systems.

The platform will track this logon, and if multiple events occur will issue a higher level alert that a brute force attack may be occurring.

[edit] Troubleshooting

[edit] False Positives

There are no false positives with this rule.

[edit] Tuning Guidance

There is no guidance for tuning this rule, this is a generic Windows error and the rule should not be disabled.

[edit] Additional Information

[edit] Support

If you are unsure about how to respond to this alert, please contact Atomicorp support. We're here to help you!

[edit] Similar Rules

HIDS_59222 Windows: Remote Logon Failure - Unknown user or bad password

HIDS_59223 Logon Failure - Account logon time restriction violation

HIDS_59224 Logon Failure - Account currently disabled

HIDS_59226 Logon Failure - User not allowed to login at this computer

HIDS_59227 Logon Failure - User not granted logon type

HIDS_59228 Logon Failure - Account's password expired

HIDS_59229 Logon Failure - Internal error

HIDS_59230 Logon Failure - Account locked out

[edit] Knowledge Base Articles

None.

[edit] Outside References

None.

[edit] Notes