Rule 1
Status	Active
Alert Message	Windows audit failure event

Contents 1 Description 1.1 What you should do 2 Troubleshooting 2.1 False Positives 2.2 Tuning Guidance 3 Additional Information 3.1 Support 3.2 Similar Rules 3.3 Knowledge Base Articles 3.4 Outside References 3.5 Notes

Description

Multime attempts to access an audited object by the same user. 10 times in 240 seconds.

What you should do

This means a user has attempted to access an auditing object multiple times and failed. It could indicate an attack, IOC, or a misconfigured application.

Troubleshooting

False Positives

There are no false positives with this rule.

Tuning Guidance

There is no guidance for tuning this rule, this is a generic Windows error and the rule should not be disabled.

Additional Information

Support

If you are unsure about how to respond to this alert, please contact Atomicorp support. We're here to help you!

Similar Rules

None.

Knowledge Base Articles

None.

Outside References

None.

Notes