Windows Account Usage

User account information can be collected and audited. Tracking local account usage can help detect Pass the Hash activity and other unauthorized account usage. Additional information such as remote desktop logins, users added to privileged groups, and account lockouts can also be tracked. User accounts being promoted to privileged groups should be audited very closely to ensure that users are in fact supposed to be in a privileged group. Unauthorized membership in privileged groups is a strong indicator that malicious activity has occurred.Lockout events for domain accounts are generated on the domain controller whereas lockout events for local accounts are generated on the local computer.

Sections on this page

SIEM Events

Temp Profile Logon

User Logging on with Temporary Profile Event Source - Microsoft-Windows-User Profiles Service - Event Log - Application

Create Profile Failed

Cannot Create profile, using temporary profile Event Source - Microsoft-Windows-User Profiles Service - Event Log - Application

User Added To Privileged Group

Event Source - Microsoft-Windows-Security-Auditing - Event Log - Security

Group Assigned To New Session

Groups assigned to new Logon session Event Source - LsaSrv - Event Log - Microsoft-Windows-LSA/Operational

AIS Managed SIEM

Last modified March 24, 2021