LoFP / this event could stem from users changing an account's password that's used to authenticate via a job or an automated process. investigate the source of such events and mitigate them

Techniques

• t1110

Sample rules

MSSQL Server Failed Logon

• source: sigma
• technicques:
  • t1110

Description

Detects failed logon attempts from clients to MSSQL server.

Detection logic

condition: selection
selection:
  EventID: 18456
  Provider_Name|contains: MSSQL