From 78ff2fb70f8f08ffd50a6e449528c1d28d5ea1de Mon Sep 17 00:00:00 2001
From: Tim Shelton <tshelton@hawkdefense.com>
Date: Wed, 29 Jun 2022 13:32:19 +0000
Subject: [PATCH] Reducing the level of this item.  This behavior happens too
 often in a normal enviornment, with day to day activity and no definitive
 threat.  I believe a different rule, detecting a larger volume of this
 behavior would warrant a high level rating.

---
 .../builtin/security/win_susp_failed_logon_reasons.yml        | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/builtin/security/win_susp_failed_logon_reasons.yml b/rules/windows/builtin/security/win_susp_failed_logon_reasons.yml
index 7bb60a5bd..ae182f1bd 100644
--- a/rules/windows/builtin/security/win_susp_failed_logon_reasons.yml
+++ b/rules/windows/builtin/security/win_susp_failed_logon_reasons.yml
@@ -5,7 +5,7 @@ description: This method uses uncommon error codes on failed logons to determine
 status: experimental
 author: Florian Roth
 date: 2017/02/19
-modified: 2021/10/29
+modified: 2022/06/29
 references:
     - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625
     - https://twitter.com/SBousseaden/status/1101431884540710913
@@ -35,4 +35,4 @@ detection:
     condition: selection and not filter
 falsepositives:
     - User using a disabled account
-level: high
+level: medium