Locked Workstation

calendar Jan 29, 2024 · attack.impact  ·
Share on: linkedin copy

Detects locked workstation session events that occur automatically after a standard period of inactivity.

Sigma rule (View on GitHub)

 1title: Locked Workstation
 2id: 411742ad-89b0-49cb-a7b0-3971b5c1e0a4
 3status: stable
 4description: Detects locked workstation session events that occur automatically after a standard period of inactivity.
 5references:
 6    - https://www.cisecurity.org/controls/cis-controls-list/
 7    - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
 8    - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
 9    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800
10author: Alexandr Yampolskyi, SOC Prime
11date: 2019/03/26
12modified: 2023/12/11
13tags:
14    - attack.impact
15    # - CSC16
16    # - CSC16.11
17    # - ISO27002-2013 A.9.1.1
18    # - ISO27002-2013 A.9.2.1
19    # - ISO27002-2013 A.9.2.2
20    # - ISO27002-2013 A.9.2.3
21    # - ISO27002-2013 A.9.2.4
22    # - ISO27002-2013 A.9.2.5
23    # - ISO27002-2013 A.9.2.6
24    # - ISO27002-2013 A.9.3.1
25    # - ISO27002-2013 A.9.4.1
26    # - ISO27002-2013 A.9.4.3
27    # - ISO27002-2013 A.11.2.8
28    # - PCI DSS 3.1 7.1
29    # - PCI DSS 3.1 7.2
30    # - PCI DSS 3.1 7.3
31    # - PCI DSS 3.1 8.7
32    # - PCI DSS 3.1 8.8
33    # - NIST CSF 1.1 PR.AC-1
34    # - NIST CSF 1.1 PR.AC-4
35    # - NIST CSF 1.1 PR.AC-6
36    # - NIST CSF 1.1 PR.AC-7
37    # - NIST CSF 1.1 PR.PT-3
38logsource:
39    product: windows
40    service: security
41detection:
42    selection:
43        EventID: 4800
44    condition: selection
45falsepositives:
46    - Likely
47level: informational

References

  • The 18 CIS Controls

    The 18 CIS Controls version 8 combines and consolidates the CIS Controls by activities, rather than by who manages the devices.


    Read More

  • Document Library

    A global forum that brings together payments industry stakeholders to develop and drive adoption of data security standards and resources for safe payments.


    Read More

  • %PDF-1.6 %âãÏÓ 3102 0 obj endobj 3108 0 obj /Filter/FlateDecode/ID[ ]/Index[3102 17]/Info 3101 0 R/Length 51/Prev 1061976/Root 3103 0 R/Size 3119/Type/XRef/W[1 2 1]>>stream hÞbbd``b`~$÷‚;÷9ˆ(...


    Read More

  • Windows Security Log Event ID 4800 - The workstation was locked

    Windows Security Log Event ID 4800 Operating Systems Windows 2008 R2 and 7 Windows 2012 R2 and 8.1 Windows 2016 and 10 Windows Server 2019 and 2022 Category  • SubcategoryLogon/Logoff  • Other Logo...


    Read More

Related rules

to-top