Jump to content


Photo

Multiple Failed Logons

Multiple Failed Logons

  • Please log in to reply
1 reply to this topic

#1 MidMoMan

MidMoMan

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 12 August 2019 - 03:27 PM

I am getting Multiple Failed Logons alert for user accounts that don't exist.

The alert does not give much info... seems useless in this form.

Any thoughts on what I can do to find out what is initiating the login attempt?

 

Who:

USER

Action:

Failed Logon

Object type:

Logon

What:

N/A

When:

8/12/2019 7:29:43 AM

Where:

xx.xx.xx.xx (domain controller)

Workstation:

 

Data source:

Logon Activity

Monitoring plan:

XX.XX

Item:

XX.XX (Domain)

RID:

20190812124432089CA4F3E8965F04F138B5938A97.....

Details:

Cause: User logon with misspelled or bad user account

This entry represents 5 matching events occurring within 600 seconds

 

 

 

 



#2 Kirill K

Kirill K

    Advanced Member

  • Administrators
  • PipPipPip
  • 119 posts
  • Gender:Male

Posted 12 August 2019 - 03:49 PM

Hi there,

 

It looks like someone is trying to use "broot-force attack" and get the access to a server.

 

Based on events, Netwrix Auditor determines the fact of what happened, however the events do not have information on who exactly is doing that.


Best regards,
Forum Engineer
 





0 user(s) are reading this topic

0 members, guests, anonymous users