Help
FortiSIEM Discussions
nativenoble
New Contributor II

Created on ‎02-17-2025 05:33 AM

Protected User Group triggers Brute force logon success

Our admin accounts are part of the protected users group, which prevents them from authenticating via NTLM. When an admin connects to a host via RDP, the system first attempts NTLM authentication before heading to Kerberos. This behavior triggers an alert in our SIEM.

Do you have any suggestions on how to adjust the rule to prevent this alert from occurring?

 

Best regards,

Klaus

249
0 Kudos
1 REPLY 1
cdurkin_FTNT
Staff
Staff

Created on ‎02-18-2025 06:51 AM Edited on ‎02-18-2025 01:52 PM

Would probably need a little more info on this... but from the above ..

I believe you are probably seeing a 4625 event with a "Reason for Error" populated with "The user is a member of a protected group and must authenticate with Kerberos" ?

Or simply a 4625 event with "Login failed - Unknown user name or bad password.", with the Authentication Method set to "NTLM"

If you have LDAP discovery enabled, your CMDB will contain the "Protected Users" group and membership... so you could look to clone the rule to exclude in the "logon failure" sub pattern, users that are in the Protected Users group AND authentication method = NTLM.

228
0 Kudos
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.