The Windows Event ID 4625 is mapped to one QID, but there are sub-status that could be parsed and mapped to unique QID's.
Windows Event ID 4625: This event is "An account failed to log on" but the cause can be due to different reasons as described under Failure Reason. I copied the 12 possible failure reason from:
Windows Security Log Event ID 4625
Account For Which Logon Failed:
This identifies the user that attempted to logon and failed.
• Security ID: The SID of the account that attempted to logon. This blank or NULL SID if a valid account was not identified - such as where the username specified does not correspond to a valid account logon name.
• Account Name: The account logon name specified in the logon attempt.
• Account Domain: The domain or - in the case of local accounts - computer name.
The section explains why the logon failed.
• Failure Reason: textual explanation of logon failure.
• Status and Sub Status: Hexadecimal codes explaining the logon failure reason. Sometimes Sub Status is filled in and sometimes not. Below are the codes we have observed.
Status and Sub Status Codes Description (not checked against "Failure Reason:")
0xC0000064 user name does not exist
0xC000006A user name is correct but the password is wrong
0xC0000234 user is currently locked out
0xC0000072 account is currently disabled
0xC000006F user tried to logon outside his day of week or time of day restrictions
0xC0000070 workstation restriction, or Authentication Policy Silo violation (look for event ID 4820 on domain controller)
0xC0000193 account expiration
0xC0000071 expired password
0xC0000133 clocks between DC and other computer too far out of sync
0xC0000224 user is required to change password at next logon
0xC0000225 evidently a bug in Windows and not a risk
0xc000015b The user has not been granted the requested logon type (aka logon right) at this machine
*Make sure you are on the latest MicrsoftWindows DSM found on Fix Central.
** New parameter that will enable the parsing of the sub-status of Windows Event ID 4625
- Create a file named WindowsAuthServer.properties in path /opt/qradar/conf
- Insert parameter name and value in newly created property file
- The systemctl restart ecs-ec command must be used once the parameter value is added or updated in WindowsAuthServer.properties
- Payload events should be parsed as 'Failure Audit: An account failed to log on: Account Disabled' or 'An account failed to log on: Username Not Exist'
Was this topic helpful?
01 February 2019