Clarification on event 672 followed by 529 Expand / Collapse
Author
Message
Posted 1/16/2013 8:49:40 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 6/1/2012 10:15:24 AM
Posts: 2, Visits: 0
Hello,
Need help to understand the below pattern :
672-event ID logged with the Result Code: 0x6 and Client Address: 127.0.0.1
Followed by
529- Logon Failure logged with the Logon Type: 10 and Caller User Name: DC name with '$'.

Both events are with same User Name and both the events we are collecting from same DC with the help of SIEM tool.

Result Code: 0x6 > Bad user name, or new computer/user account has not replicated to DC yet.
Logon Type: 10 > RemoteInteractive (Terminal Services, Remote Desktop or Remote Assistance)
.

So, what do you think, what is going on ? The events are not so frequent having only a count of ~30 in a day.
Post #1165
Posted 1/17/2013 8:13:11 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 6/1/2012 10:15:24 AM
Posts: 2, Visits: 0
Thanks for you reply.

But I am wondering why in 672 - Client Address: 127.0.0.1 ? as this one is used as loopback address only And in 529 - Caller User Name: DC name with '$' ? generally userID ending with '$' dose not qualify to be an activity from individual, is that the correct understanding ? ....
Post #1167
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 5:59am