Carbon Black Cloud: The Auth_Failed_Logon_Count Field is Zero
Article ID: 291285
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
The "Enable auth event collection" setting is enabled but the auth_failed_logon_count search field is always 0
Environment
- Carbon Black Cloud Sensor: All Supported Versions
- Microsoft Windows: All Supported Versions
Cause
This is because by default this isn't tracked by Windows unless DisplayLastLogonInfo is enabled
Resolution
Enable DisplayLastLoginInfo via the Windows Registry or GPO
Additional Information
Engineering is looking into calculating this independently in the future as well so it's not dependent on the Windows setting being enabled
Feedback
Yes
No
Powered by
