Description

Composite rule identified multiple Windows System Event ID 7038. This indicates that a service was unable to log on with the currently configured password multiple times. Frequency 10 / 240s

What you should do

This could be an indicator of an attack. Identify if this application is actually being accessed by an invalid / unknown source, or if this is a condition caused by a password/account that has expired or changed.

Troubleshooting

False Positives

If an application has cached an invalid/expired password this event could be triggered.

Tuning Guidance

There is no guidance for tuning this rule, this is a generic Windows error and the rule should not be disabled.

Additional Information

Support

If you are unsure about how to respond to this alert, please contact Atomicorp support. We're here to help you!

Similar Rules

None.

Knowledge Base Articles

None.

Outside References

None.

Notes