Reducing the level of this item. This behavior happens too often in a normal enviornment, with day to day activity and no definitive threat. I believe a different rule, detecting a larger volume of this behavior would warrant a high level rating.

2022-06-29 13:32:19 +00:00
parent a4929221aa
commit 78ff2fb70f
1 changed files with 2 additions and 2 deletions
@@ -5,7 +5,7 @@ description: This method uses uncommon error codes on failed logons to determine
 status: experimental
 author: Florian Roth
 date: 2017/02/19
-modified: 2021/10/29
+modified: 2022/06/29
 references:
    - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625
    - https://twitter.com/SBousseaden/status/1101431884540710913
@@ -35,4 +35,4 @@ detection:
    condition: selection and not filter
 falsepositives:
    - User using a disabled account
-level: high
+level: medium