HIDS 18149

From Atomicorp Wiki
Revision as of 15:04, 17 June 2019 by Ben (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Rule ID

18149 (Windows Event ID: 4634)

Status

Active rule currently published.

Description

This rule is detects when an account was logged off. Also see event ID 4647 which Windows logs instead of this event in the case of interactive logons when the user logs out.

This event signals the end of a logon session and can be correlated back to the logon event 4624 using the Logon ID.

For network connections (such as to a file server), it will appear that users log on and off many times a day. This phenomenon is caused by the way the Server service terminates idle connections.

If a user turns off his/her computer, Windows does not have an opportunity to log the logoff event until the system restarts. Therefore, some logoff events are logged much later than the time at which they actually occur.

ANONYMOUS LOGONs are routine events on Windows networks.

Microsoft's comments: This event does not necessarily indicate the time that a user has stopped using a system. For example, if the computer is shut down or loses network connectivity it may not record a logoff event at all.

Logon Type: indicates how the user was logged on. See 4624 for explanation of these codes.


False Positives

There is no known false positive for this rule. This rule detects when files change, therefore, it is not recommended that you disable this rule. Instead, if you do not wish to be alerted when a specific file or files in a particular directory change, please log into the ASL GUI, click on the ASL tab, select the File Integrity menu options and modify your configuration to ignore this file or directory.

If you believe that this is a false positive, please report this to our security team can determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the Reporting False Positives wiki page.


Tuning Recommendations

If you do not wish to monitor the file or directory reported as changed, log into the ASL GUI, click on the ASL tab, select the File Integrity menu options and modify your configuration to ignore this file or directory.

Similar Rules


Knowledge Base Articles

None.

Outside References https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4625#fields

Personal tools