Event Name - UserLogonFailed

UserLogonFailed2 will aggregate data from Falcon and Windows ETW when available (assuming you're using a more modern Windows operating system) and UserLongFailed will rely exclusively on Falcon data.

Description

Platforms: Windows

This event is generated when a user logon fails.

Fields: Windows

Field

Description

ContextTimeStamp

System time of event creation.

ContextProcessId

UPID of process originating this event.

ContextThreadId

UTID of thread originating this event

TreeId

If this event is part of a detection tree, the tree ID it is part of.

UserSid

The User Security Identifier (UserSID) of the user who executed the command. A UserSID uniquely identifies a user in a system.

Values:

SELF_RID (0x01010000000000050A000000)

UserName

LogonTime

PasswordLastSet

UserLogonFlags

Values:

NONE (0x00000000)
LOGON_IS_SYNTHETIC (0x00000001)
USER_IS_ADMIN (0x00000002)
USER_IS_LOCAL (0x00000004)
USER_IS_BUILT_IN (0x00000008)
USER_IDENTITY_MISSING (0x00000010)

PreviousEvent Name - UserLogon NextEvent Name - UserLogonFailed2

Last updated 2 years ago