diff --git a/rules/windows/builtin/win_susp_failed_logon_reasons.yml b/rules/windows/builtin/win_susp_failed_logon_reasons.yml
index bf28f7868..123a3cd51 100644
--- a/rules/windows/builtin/win_susp_failed_logon_reasons.yml
+++ b/rules/windows/builtin/win_susp_failed_logon_reasons.yml
@@ -17,11 +17,11 @@ detection:
             - 4625
             - 4776
         Status:
-            - '0xC0000072'
-            - '0xC000006F'
-            - '0xC0000070'
-            - '0xC0000413'
-            - '0xC000018C'
+            - '0xC0000072'  # User logon to account disabled by administrator
+            - '0xC000006F'  # User logon outside authorized hours
+            - '0xC0000070'  # User logon from unauthorized workstation
+            - '0xC0000413'  # Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine
+            - '0xC000018C'  # The logon request failed because the trust relationship between the primary domain and the trusted domain failed
             - '0xC000015B'  # The user has not been granted the requested logon type (aka logon right) at this machine
     condition: selection
 falsepositives: