Anyone have MSAUTH Custom rules written they would like to share out? -Derek Morris
> > In the most current msauth-rules.xml, eventid 680 is disabled, stating > that it is a duplicate. Unfortunately that is not the case. A failed > 680 event is how a Windows 2003 Server AD controller denotes a failed > NTLM login. A failed 672 is how it denotes failed Kerberos > connections. > > These attempts will be most notable when a non-windows device attempts > authentication using NTLM. > > As such, the default ruleset was missing many authentication failures > in my environment. I wrote the following local-rules.xml to cover > this gap. I also had to comment out rule 18121. > > <group name="local,"> > <rule id="100000" level="0"> > <description>User created rules</description> > </rule> > > <rule id="100006" level="5"> > <if_sid>18105</if_sid> > <id>^680</id> > <description>Windows NTLM Logon Failure.</description> > <group>win_authentication_failed,</group> > </rule> > > <rule id="100007" level="7"> > <if_sid>100006</if_sid> > <match>Error Code: 0xC0000064</match> > <description>Windows NTLM Logon Failure - Bad Username</ > description> > <group>win_authentication_failed,</group> > </rule> > > <rule id="100008" level="5"> > <if_sid>100006</if_sid> > <match>Error Code: 0xC000006A</match> > <description>Windows NTLM Logon Failure - Bad Password</ > description> > <group>win_authentication_failed,</group> > </rule> > > <rule id="100009" level="7"> > <if_sid>100006</if_sid> > <match>Error Code: 0xC0000234</match> > <description>Windows NTLM Logon Failure - Account Locked Out</ > description> > <group>win_authentication_failed,</group> > </rule> > > <rule id="100010" level="7"> > <if_sid>100006</if_sid> > <match>Error Code: 0xC0000072</match> > <description>Windows NTLM Logon Failure - Account Disabled</ > description> > <group>win_authentication_failed,</group> > </rule> > > <rule id="100011" level="5"> > <if_sid>100006</if_sid> > <match>Error Code: 0xC000006F</match> > <description>Windows NTLM Logon Failure - Account Time > Restriction</description> > <group>win_authentication_failed,</group> > </rule> > > <rule id="100012" level="5"> > <if_sid>100006</if_sid> > <match>Error Code: 0xC0000070</match> > <description>Windows NTLM Logon Failure - Account Workstation > Restriction</description> > <group>win_authentication_failed,</group> > </rule> > > <rule id="100013" level="5"> > <if_sid>100006</if_sid> > <match>Error Code: 0xC0000193</match> > <description>Windows NTLM Logon Failure - Account Expired</ > description> > <group>win_authentication_failed,</group> > </rule> > > <rule id="100014" level="5"> > <if_sid>100006</if_sid> > <match>Error Code: 0xC0000074</match> > <description>Windows NTLM Logon Failure - Password Expired</ > description> > <group>win_authentication_failed,</group> > </rule> > > <rule id="100015" level="5"> > <if_sid>100006</if_sid> > <match>Error Code: 0xC0000224</match> > <description>Windows NTLM Logon Failure - User Required To > Change Password</description> > <group>win_authentication_failed,</group> > </rule> > > </group> > >