Windows Authentication Content Pack

Overview

Authentication is one of the most common network events, but it can be challenging to sift through these events and determine welcome versus unwelcome activity. Microsoft event logging keeps track of authentication events. These logs can be very beneficial to correlate certain authentication activities. By monitoring successful and failed attempts over time, noticeable trends with specific usernames, hosts, and domains become apparent. This can help identify potential issues such as compromised credentials, malicious insiders, and other activities that merit deeper investigation.

Content Pack Components

Views

Provides a look into various authentication events from Windows devices on the network.

  • Detailed Successful Windows Logons
  • Successful Windows Logon Overview
  • Correlated Admin Logons
  • Correlated Built-in Account Admin Logons
  • Correlated Service Account Admin Logons
  • Correlated Successful Admin Logon Overview
  • Admin Logons by Normalization
  • Built-in Account Admin Logons by Normalization
  • Service Account Admin Logons by Normalization
  • Successful Admin Logon Overview by Normalization
  • Windows Accounts Created
Correlation Rules

Designed to trigger on a certain type of Windows authentication event.

  • Administrator Account Logon on Vista-2008 or Later
  • Administrator Account logon on 2000-2003-XP
  • Admin Logon from Non-Company Geolocation on Vista-2008 or Later
  • Admin Logon from Non-Company Geolocation on 2000-2003-XP
  • Admin Logon from Suspicious Geolocation on Vista-2008 or Later
  • Admin Logon from Suspicious Geolocation on 2000-2003-XP
  • Restricted Domain Account Failed Logon
  • Domain User Failed Logon Due to Invalid Password
  • Domain User Logon After Multiple Failed Attempts
  • Failed Domain Logon on Restricted Host
  • Failed Logon Due to Invalid Domain Username
  • Domain Account Created

Required Products

  • McAfee Enterprise Security Manager (ESM) 10.0.x, 9.6.x, 9.5.x
  • McAfee Advanced Correlation Engine (ACE) 10.0.x, 9.6.x, 9.5.x
  • A Windows data source must be set up to receive events from Windows devices within the network environment.

Download Content Pack

Registered ServicePortal users can log in to access the Knowledge Center for further documentation or to download the content pack file manually.

Read Article

Explore

Find other content packs and partner integrations.

See All

Free Trial

Interested in McAfee Enterprise Security Manager?

Register for Free Trial