Authentication-Related Event IDs

Giganews Newsgroups
Subject: Authentication-Related Event IDs
Posted by:  Seeker (newsgrou…@example.com)
Date: Sat, 14 Apr 2007

A few questions about the real-world relevance and importance of some
account related Event IDs.

-If 675s are being monitored, what extra information could 672 give?
This is the TGT request, but my understanding is that nothing can really
be done until 673 (ticket granted), anyway.  And 675s would catch
user-related logon activity.  Are there security-relevant situations
where one would see multiple 672s and/or 673s, but not 675s?

-What is the difference between a 531 and a 675, error code 18?  Will
they both be logged if there is a failed attempt to logon to a disabled
account?  Is it worth monitoring both?

Thanks in advance.

Replies