From 7bebedbac1ce599613ee04b9690506df9fa29537 Mon Sep 17 00:00:00 2001
From: Vasiliy Burov <vasebur@gmail.com>
Date: Fri, 1 Mar 2019 18:18:39 +0300
Subject: [PATCH 1/2] Update win_susp_failed_logon_reasons.yml

Added descriptions for logon failure statuses and new logon failure status that may indicate suspicious logon.
---
 .../windows/builtin/win_susp_failed_logon_reasons.yml | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/rules/windows/builtin/win_susp_failed_logon_reasons.yml b/rules/windows/builtin/win_susp_failed_logon_reasons.yml
index bf28f7868..1ef3ab6c0 100644
--- a/rules/windows/builtin/win_susp_failed_logon_reasons.yml
+++ b/rules/windows/builtin/win_susp_failed_logon_reasons.yml
@@ -17,12 +17,13 @@ detection:
             - 4625
             - 4776
         Status:
-            - '0xC0000072'
-            - '0xC000006F'
-            - '0xC0000070'
-            - '0xC0000413'
-            - '0xC000018C'
+            - '0xC0000072'  # User logon to account disabled by administrator
+            - '0xC000006F'  # User logon outside authorized hours
+            - '0xC0000070'  # User logon from unauthorized workstation
+            - '0xC0000413'  # Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine
+            - '0xC000018C'  # The logon request failed because the trust relationship between the primary domain and the trusted domain failed
             - '0xC000015B'  # The user has not been granted the requested logon type (aka logon right) at this machine
+            - '0xC0000193'  # User logon with expired account
     condition: selection
 falsepositives:
     - User using a disabled account

From f80cf52982e902f46fbc47a4568262afeb7583b4 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Sat, 2 Mar 2019 07:20:59 +0100
Subject: [PATCH 2/2] Expired happens too often

Back then when we created this rule, we noticed that "logon attempt with expired account" happens pretty often, so we decided to not include it. All event codes in this rule did not appear in a 30 day time period and therefore the rule's "level" was set to "high".
---
 rules/windows/builtin/win_susp_failed_logon_reasons.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/rules/windows/builtin/win_susp_failed_logon_reasons.yml b/rules/windows/builtin/win_susp_failed_logon_reasons.yml
index 1ef3ab6c0..123a3cd51 100644
--- a/rules/windows/builtin/win_susp_failed_logon_reasons.yml
+++ b/rules/windows/builtin/win_susp_failed_logon_reasons.yml
@@ -23,7 +23,6 @@ detection:
             - '0xC0000413'  # Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine
             - '0xC000018C'  # The logon request failed because the trust relationship between the primary domain and the trusted domain failed
             - '0xC000015B'  # The user has not been granted the requested logon type (aka logon right) at this machine
-            - '0xC0000193'  # User logon with expired account
     condition: selection
 falsepositives:
     - User using a disabled account