Qradar: Windows Event ID 4625 Parsed Sub-Statuses

Content

Windows Event ID 4625: This event is "An account failed to log on" but the cause can be due to different reasons as described under Failure Reason. I copied the 12 possible failure reason from: Windows Security Log Event ID 4625 .

Account For Which Logon Failed:
This identifies the user that attempted to logon and failed.
• Security ID:  The SID of the account that attempted to logon. This blank or NULL SID if a valid account was not identified - such as where the username specified does not correspond to a valid account logon name.
• Account Name: The account logon name specified in the logon attempt.
• Account Domain: The domain or - in the case of local accounts - computer name.

Failure Information:
The section explains why the logon failed.
• Failure Reason: textual explanation of logon failure.
• Status and Sub Status: Hexadecimal codes explaining the logon failure reason. Sometimes Sub Status is filled in and sometimes not. Below are the codes we have observed.

Status and Sub Status Codes  Description (not checked against "Failure Reason:")
0xC0000064                                user name does not exist
0xC000006A                               user name is correct but the password is wrong
0xC0000234                                user is currently locked out
0xC0000072                                account is currently disabled
0xC000006F                                user tried to logon outside his day of week or time of day restrictions
0xC0000070                                workstation restriction, or Authentication Policy Silo violation (look for event ID 4820 on domain controller)
0xC0000193                                account expiration
0xC0000071                                expired password
0xC0000133                                clocks between DC and other computer too far out of sync
0xC0000224                                user is required to change password at next logon
0xC0000225                                evidently a bug in Windows and not a risk
0xc000015b                                The user has not been granted the requested logon type (aka logon right) at this machine

SOLUTION:

*Make sure you are on the latest MicrsoftWindows DSM found on Fix Central.

** New parameter that will enable the parsing of the sub-status of Windows Event ID 4625

- Create a file named WindowsAuthServer.properties in path /opt/qradar/conf
- Insert parameter name and value in newly created property file 
     enableAdditionalParsingFailedLogOn=true
- The systemctl restart ecs-ec command must be used once the parameter value is added or updated in WindowsAuthServer.properties
- Payload events should be parsed as 'Failure Audit: An account failed to log on: Account Disabled' or 'An account failed to log on: Username Not Exist'