Grouped by Detection Method
- Count of Successful/Failed Events per Hour
- Count of Successful/Failed Events per Source System
- Count of Successful/Failed Events per Source User
- Account Logon After Employee End Date
- Account Logon During Unusual Time of Day
- Account Logon During Unusual Day of Week
- Service Account Interactive Logon
- A user with an unrecognized naming convention is observed
- Account Created With Name Similar to "Admin"
- Account Created With Name Similar to "Administrator"
- Account Created With Name Similar to the local service account naming convention
- Newly Observed Source User
- Newly Observed Source User=Service Account, Type=Interactive
- Newly Observed Source User, Destination Host
- User Name, Destination Host where Destination Host Count exceeds threshold
- Source Account, Outcome=Failure where Count exceeds threshold
- Source Account, Outcome=Failure, Destination Host where Destination Host Count exceeds threshold
- Windows Security Event ID 4624: An account was successfully logged on
- Windows Security Event ID 4625: An account failed to log on
- Windows Security Event ID 4648: A logon was attempted using explicit credentials
- VPN Logons
- SSH Logons
- Application Logons
- May pick up failed service accounts repeatedly trying to "do their job" with a locked account. Notifying the appropriate admin is a good idea here.