Why does the DCS Windows Detection Policy have multiple event id's for failed logins

search cancel

Why does the DCS Windows Detection Policy have multiple event id's for failed logins

book

Article ID: 376988

calendar_today

Updated On:

Products

Data Center Security Server Advanced Data Center Security Server Data Center Security Monitoring Edition

Issue/Introduction

You would like to know why there are multiple event id's in each option in the detection policy for failed logins.

Environment

DCS 6.x Detection Policy
Windows Agents

Resolution

These dual entry's are for backwards compatibility with older OS's.

Windows 2003 and XP generates event id 529 for a login failure. The newer Windows OS's that same login failure is event id 4625.

The event id's in the rule are an OR statement, so either can match depending on the OS. You can change these to remove one or the other, depending on the Windows OS you are using.

Feedback

thumb_up Yes

thumb_down No