lots of 4625 failure events

Jeffrey Tucker 341 Reputation points
2021-10-07T12:56:52.79+00:00

my environment is 12 servers of which 2 are DCs. in my SIEM i see lots of 4625 events. here is an example

====

An account failed to log on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: RANDOM_USER_NAME Account Domain: MYDOMAINNAME Failure Information: Failure Reason: The user has not been granted the requested logon type at this machine. Status: 0xC000015B Sub Status: 0x0 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: IP_OF_SERVER Source Port: 53792 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

these users are random and the users would not even be trying to login to this server or the other servers (all of them have same events). nor do they have access to login. i am not concerned that this is malware. i am just trying to understand why there is so much noise in the SIEM and whether i need to audit this type or not.

thank you

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,585 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,776 questions
0 comments No comments
{count} votes

Accepted answer
  1. Anonymous
    2021-10-07T13:30:57.71+00:00

    You probably don't necessarily need this auditing. Some more info here.
    https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
  1. Jeffrey Tucker 341 Reputation points
    2021-10-07T15:01:19.277+00:00

    thanks for your answer. i can see that, perhaps, this sort of event is important when tracing illicit activity. these are failures and means there is no harm to the destination. i think i will just filter to exclude these. if i need them i can just temporarily disable the filter. all i would have to do this for about a minute and have thousands to look through.

    0 comments No comments

  2. Anonymous
    2021-10-07T15:08:51.683+00:00

    Sounds good, you're welcome.

    --please don't forget to upvote and Accept as answer if the reply is helpful--