1 reply to this topic

[MidMoMan]

I am getting Multiple Failed Logons alert for user accounts that don't exist.

The alert does not give much info... seems useless in this form.

Any thoughts on what I can do to find out what is initiating the login attempt?

 

Who:

USER

Action:

Failed Logon

Object type:

Logon

What:

N/A

When:

8/12/2019 7:29:43 AM

Where:

xx.xx.xx.xx (domain controller)

Workstation:

 

Data source:

Logon Activity

Monitoring plan:

XX.XX

Item:

XX.XX (Domain)

RID:

20190812124432089CA4F3E8965F04F138B5938A97.....

Details:

Cause: User logon with misspelled or bad user account

This entry represents 5 matching events occurring within 600 seconds

 

 

 

 

[Kirill K]

Hi there,

 

It looks like someone is trying to use "broot-force attack" and get the access to a server.

 

Based on events, Netwrix Auditor determines the fact of what happened, however the events do not have information on who exactly is doing that.