Event Name - UserLogonFailed2

UserLogonFailed2 will aggregate data from Falcon and Windows ETW when available (assuming you're using a more modern Windows operating system) and UserLongFailed will rely exclusively on Falcon data.

Description

Platforms: Linux, ChromeOS, macOS

Platforms: Windows

An event that indicates that a local user attempted to logon, but failed due to bad password. LogonTime is the last successful logon time. The remote information will be present only if the logon originated over the network. RawProcessId will attribute a pid if relevant.

Fields: Linux, ChromeOS, macOS

Field

Description

ContextTimeStamp

System time of event creation.

UserName

LogonTime

LogonType

Values:

  • INTERACTIVE (2)

  • NETWORK (3)

  • BATCH (4)

  • SERVICE (5)

  • PROXY (6)

  • UNLOCK (7)

  • NETWORK_CLEARTEXT (8)

  • NEW_CREDENTIALS (9)

  • REMOTE_INTERACTIVE (10)

  • CACHED_INTERACTIVE (11)

  • CACHED_REMOTE_INTERACTIVE (12)

  • CACHED_UNLOCK (13)

UID

Unix User Identifier.

UserIsAdmin

Set to TRUE if this user is a local admin.

PasswordLastSet

RemoteAddressIP4

RemoteAddressIP6

PreviousEvent Name - UserLogonFailedNextEvent Name - SsoApplicationAccess

Last updated

Was this helpful?