|Alert Message||Account logon time restriction violation|
Windows has detected that a system has attempted to log into the Windows system and the account or group has been configured to only allow logons during specific times, so the logon has been denied.
Associated Windows Event IDs
What you should do
This means that the logon has been denied by local policy, specifically that this account or group is not allowed to logon during the time the account attempted to log in. This may an attempt to access a system by an unauthorized user and the access should be investigated.
The platform will track this logon, and if multiple events occur will issue a higher level alert that a brute force attack may be occurring.
There are no false positives with this rule.
There is no guidance for tuning this rule, and the rule should not be disabled.
If you are unsure about how to respond to this alert, please contact Atomicorp support. We're here to help you!
HIDS_59222 Windows: Remote Logon Failure - Unknown user or bad password
HIDS_59224 Logon Failure - Account currently disabled
HIDS_59225 Logon Failure - Specified account expired
HIDS_59226 Logon Failure - User not allowed to login at this computer
HIDS_59227 Logon Failure - User not granted logon type
HIDS_59228 Logon Failure - Account's password expired
HIDS_59229 Logon Failure - Internal error
HIDS_59230 Logon Failure - Account locked out
Knowledge Base Articles