Hello,
i am currently taking a look at the alert rules shipped with LogPoint trying to figure out which of these are applicable to our environment, and sometimes find something i think (keep in mind, i am neither an expert reagrding LogPoint nor InfoSec) is not correct. I do not know whether LogPoint has any bug tracker i can post\ask for clarification.
E.g.
Alert rule - LP_Windows Failed Login Attempt using an Expired Account (LP 6.12.2)
“This alert is triggered whenever user attempts to login using expired account.”
The search query is
norm_id=WinServer* label=User label=Login label=Fail sub_status_code="0xC0000071" -target_user=*$ -user=*$ -user IN EXCLUDED_USERS | rename user as target_user, domain as target_domain, reason as failure_reason |
Asa far as i understand the Windows documentation (4625(F) An account failed to log on. (Windows 10) - Windows security | Microsoft Docs), the substatus 0xC000071 means the login was attempted with an expired password, not with an expired account, which would be 0xC0000193.
So shouldn’t the search query use the substatus 0xC000193, or am i missing something ? (I do not see the big impact a login attempt with an expired password has, while i would like to be alerted when an expired account tries to login).
Another question:
I would like to know what “label=User label=Login label=Fail” (or any other shipped label) actually decodes to. However, i can not find the search package for the Windows labels to take a look how these search labels are “decoded”.
Best answer by Andre Kurtz
View original