HIDS 59226
Rule 59222 | |
---|---|
Status | Active |
Alert Message | Logon Failure - User not allowed to login at this computer |
Contents |
[edit] Description
Windows has detected that a system has attempted to log into the system and is not allowed to log into that system.
[edit] Associated Windows Event IDs
- 529
- 530
- 531
- 532
- 533
- 534
- 535
- 536
- 537
- 539
- 4625
[edit] What you should do
This may indicate that an unauthorized party is attempt to access an account that has been disabled on the system, and may indicate an attack is in progress. This event should be investigated. Check the GUI for additional events from the source to determine if this is part of a larger effort to gain access to your systems.
The platform will track this logon, and if multiple events occur will issue a higher level alert that a brute force attack may be occurring.
[edit] Troubleshooting
[edit] False Positives
There are no false positives with this rule.
[edit] Tuning Guidance
There is no guidance for tuning this rule, this is a generic Windows error and the rule should not be disabled.
[edit] Additional Information
[edit] Support
If you are unsure about how to respond to this alert, please contact Atomicorp support. We're here to help you!
[edit] Similar Rules
HIDS_59222 Windows: Remote Logon Failure - Unknown user or bad password
HIDS_59223 Logon Failure - Account logon time restriction violation
HIDS_59224 Logon Failure - Account currently disabled
HIDS_59225 Logon Failure - Specified account expired
HIDS_59227 Logon Failure - User not granted logon type
HIDS_59228 Logon Failure - Account's password expired
HIDS_59229 Logon Failure - Internal error
HIDS_59230 Logon Failure - Account locked out
[edit] Knowledge Base Articles
None.
[edit] Outside References
None.