logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Carbon Black Cloud: The Auth_Failed_Logon_Count Field is Zero

Carbon Black Cloud: The Auth_Failed_Logon_Count Field is Zero

Environment

  • Carbon Black Cloud Sensor: All Supported Versions
  • Microsoft Windows: All Supported Versions

Symptoms

The "Enable auth event collection" setting is enabled but the auth_failed_logon_count search field is always 0

Cause

This is because by default this isn't tracked by Windows unless DisplayLastLogonInfo is enabled

Resolution

Enable DisplayLastLoginInfo via the Windows Registry or GPO

Additional Notes

Engineering is looking into calculating this independently in the future as well so it's not dependent on the Windows setting being enabled

Related Content


Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎12-26-2023
Views:
137
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.