4625 - Unlock screen, account failed to log... Expand / Collapse
Author
Message
Posted 1/31/2017 11:47:52 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 1/31/2017 11:26:45 AM
Posts: 2, Visits: 0
Hello. I am creating new SIEM case and I am facing a problem.
I created rule that will control in Windows security logs with event ID 4625 and Logon Type 7.

I have tested on windows 7 this case (non domain workstation, authentication local):
1) Lockout the screen - and
2) Logon to workstation back with wrong login credentials
3) Logon with right credentials ,

and in audit log I see Event with and .
Good

Now I concentrate on Windows 10 Domain workstation:
I did the same, lock the screen, couple wrong authentication attempts, successful unlock the screen and

I see event with , . And that is the problem, because there are the same events for simple failed logon (for example after reboot and PC turn on)

But I want to control exactly failed attempt to unlock the screen (NOT user logon, local or network)

Is is possible in windows 8,10 with are in domain (domain authentication)?

Post #7314
Posted 3/17/2017 7:35:40 AM
Supreme Being

Supreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 237, Visits: 0
I'm not sure what the problem is with the information presented. It sounds like you may be able to incorporate an OR statement to account for the reported subtle variation between OS versions. An event example could help.
Post #7328
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 6:15am