https://wiki.atomicorp.com/wiki/index.php?title=HIDS_59209&feed=atom&action=historyHIDS 59209 - Revision history2024-03-29T12:29:20ZRevision history for this page on the wikiMediaWiki 1.20.2https://wiki.atomicorp.com/wiki/index.php?title=HIDS_59209&diff=6169&oldid=prevScott at 14:56, 22 October 20202020-10-22T14:56:19Z<p></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 14:56, 22 October 2020</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 9:</td>
<td colspan="2" class="diff-lineno">Line 9:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>= Description =</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>= Description =</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>Windows <del class="diffchange diffchange-inline">detected a logon failure. This is a top level event that is used by more refined rules below it</del>.  </div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>Windows <ins class="diffchange diffchange-inline">account enabled or created</ins>.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>== What you should do ==</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>== What you should do ==</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>This <del class="diffchange diffchange-inline">is </del>a <del class="diffchange diffchange-inline">top level rule </del>to <del class="diffchange diffchange-inline">catch all classes of login failure</del>, <del class="diffchange diffchange-inline">more refined rules use this rule to classify the type </del>of <del class="diffchange diffchange-inline">login failure (network, interactive, account doesnt exist, etc). No actions are required, </del>and <del class="diffchange diffchange-inline">this rule </del>should <del class="diffchange diffchange-inline">not </del>be <del class="diffchange diffchange-inline">disabled</del>.  </div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>This <ins class="diffchange diffchange-inline">rule indicates that </ins>a <ins class="diffchange diffchange-inline">user account has been enabled or created. It may need </ins>to <ins class="diffchange diffchange-inline">be retained for regulatory frameworks</ins>, <ins class="diffchange diffchange-inline">it could also be an IOC </ins>of <ins class="diffchange diffchange-inline">malicious activity </ins>and should be <ins class="diffchange diffchange-inline">investigated</ins>.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>= Troubleshooting =</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>= Troubleshooting =</div></td></tr>
</table>Scotthttps://wiki.atomicorp.com/wiki/index.php?title=HIDS_59209&diff=6168&oldid=prevScott: Created page with "{{Infobox |header1 = Rule 1 |label2 = Status |data2 = Active |label3 = Alert Message |data3 = Windows audit failure event }} = Description = Windows detected a logon fail..."2020-10-22T14:55:12Z<p>Created page with "{{Infobox |header1 = Rule 1 |label2 = Status |data2 = Active |label3 = Alert Message |data3 = Windows audit failure event }} = Description = Windows detected a logon fail..."</p>
<p><b>New page</b></p><div>{{Infobox<br />
|header1 = Rule 1<br />
|label2 = Status<br />
|data2 = Active<br />
|label3 = Alert Message<br />
|data3 = Windows audit failure event<br />
}} <br />
<br />
= Description =<br />
<br />
Windows detected a logon failure. This is a top level event that is used by more refined rules below it. <br />
<br />
== What you should do ==<br />
<br />
This is a top level rule to catch all classes of login failure, more refined rules use this rule to classify the type of login failure (network, interactive, account doesnt exist, etc). No actions are required, and this rule should not be disabled. <br />
<br />
= Troubleshooting =<br />
<br />
== False Positives ==<br />
<br />
There are no false positives with this rule.<br />
<br />
== Tuning Guidance ==<br />
<br />
There is no guidance for tuning this rule, this is a generic Windows error and the rule should not be disabled.<br />
<br />
= Additional Information =<br />
<br />
== Support ==<br />
<br />
If you are unsure about how to respond to this alert, please contact Atomicorp support. We're here to help you!<br />
<br />
== Similar Rules ==<br />
<br />
None.<br />
<br />
== Knowledge Base Articles== <br />
<br />
None.<br />
<br />
== Outside References == <br />
<br />
None.<br />
<br />
== Notes ==</div>Scott