Add Windows auth field evidence gates

Author: bozicovichsantiago20-oss

skills/secops/log-analysis/SKILL.md

@@ -13,7 +13,7 @@ phase: [operate]
 frameworks: [MITRE-ATT&CK-v16, NIST-SP-800-92]
 difficulty: intermediate
 time_estimate: "20-40min"
-version: "1.0.0"
+version: "1.0.1"
 author: unitoneai
 license: MIT
 allowed-tools: Read, Grep, Glob
@@ -56,6 +56,7 @@ Before beginning analysis, gather or confirm:
 - [ ] **Time window:** The specific time range to analyze.
 - [ ] **Scope:** Which hosts, users, IP addresses, or network segments are in scope?
 - [ ] **Available log sources:** Which logs are available? (Windows Event Logs, Sysmon, EDR, firewall, proxy, DNS, cloud audit, application logs.)
+- [ ] **Windows authentication fields:** For Event IDs 4624/4625, are LogonType, Status/SubStatus, FailureReason, LogonProcess, AuthenticationPackage, source address, workstation, account class, and host role available?
 - [ ] **Known-good context:** What is expected/normal for this environment? (Authorized admin accounts, expected service accounts, normal working hours, approved applications.)
 - [ ] **Related alerts or incidents:** Are there existing alerts, tickets, or incident reports associated with this investigation?
 - [ ] **SIEM access:** Which SIEM platform contains the logs? (Determines query language and table names.)
@@ -148,6 +149,39 @@ These Event IDs are the most security-relevant events in the Windows Security Ev
 | 10 | RemoteInteractive | RDP logon | Expected for designated jump servers; suspicious on workstations or non-RDP servers |
 | 11 | CachedInteractive | Logon with cached domain credentials | Normal when DC is unreachable; suspicious if DC is available |
 
+**Windows authentication field evidence gate (4624/4625):**
+
+Do not classify Windows authentication activity from Event ID alone. Record the decisive fields before assigning severity or ATT&CK mapping.
+
+| Field | Why It Matters | Precision Guidance |
+|---|---|---|
+| Event ID | Distinguishes success (4624) from failure (4625), explicit credential use (4648), and privileged logon (4672) | Use as the starting signal, not the conclusion |
+| LogonType | Separates console, network, batch, service, RDP, cached, and `runas /netonly` activity | Treat LogonType 3 on workstations, 9, and unexpected 10 as higher-risk than routine server SMB or managed service activity |
+| Status / SubStatus | Explains 4625 failure cause | Bad password / unknown user supports spray or brute force; locked, disabled, expired, or logon-type-denied may indicate operational drift or policy enforcement |
+| FailureReason | Human-readable failure context where available | Cross-check against Status/SubStatus; do not rely on localized text alone |
+| LogonProcess | Shows the Windows component or mechanism involved | `User32`, `Advapi`, `NtLmSsp`, and service/batch contexts imply different activity paths |
+| AuthenticationPackage | Distinguishes Kerberos, NTLM, Negotiate, or package-specific flows | Unexpected NTLM where Kerberos is expected may indicate downgrade, legacy path, or lateral movement |
+| Source Network Address / WorkstationName | Identifies where the attempt originated | Treat `-`, `::1`, `127.0.0.1`, and local hostnames as local/unknown until corroborated; do not map them to external source behavior |
+| TargetUserName / TargetDomainName | Identifies the account and identity boundary | Separate human users, service accounts, machine accounts ending in `$`, break-glass accounts, and external/trusted domains |
+| Host role | Determines whether the logon pattern is expected | RDP to a jump host, SMB to a file server, and service logon on an app server have different baselines |
+
+**Common 4625 SubStatus examples:**
+
+| SubStatus | Typical Meaning | Triage Implication |
+|---|---|---|
+| `0xC000006A` | Bad password | Stronger spray/brute-force signal when repeated across users or sources |
+| `0xC0000064` | User name does not exist | Username enumeration or spray candidate |
+| `0xC0000234` | Account locked out | May be attack outcome or operational lockout noise; correlate with prior failures |
+| `0xC0000072` | Account disabled | Often stale automation or invalid use of disabled account; investigate source and recency |
+| `0xC0000071` | Password expired | Usually operational drift unless paired with suspicious source, volume, or privilege |
+| `0xC000015B` | Logon type not granted | Policy prevented requested logon; useful for attempted access path but not proof of compromise |
+
+**Decision rule:**
+
+- Mark a 4624/4625 finding `Suspicious` only when the field combination contradicts known-good account class, host role, source, time window, or access path.
+- Mark it `Benign / Expected` when the event matches documented service, scheduled task, jump host, file server, or policy-enforcement behavior.
+- Mark it `Needs More Context` when key fields are absent, normalized away by the SIEM, or inconsistent across sources.
+
 #### Process and Service Events
 
 | Event ID | Description | Security Relevance | ATT&CK Mapping |
@@ -377,6 +411,11 @@ Produce log analysis findings in this structure:
 ### Baseline Observations
 [Any baseline deviations noted, with comparison to established norms]
 
+### Windows Auth Field Evidence (if applicable)
+| Event Ref | Event ID | LogonType | Status/SubStatus | Auth Package | Logon Process | Source / Workstation | Account Class | Host Role | Assessment |
+|---|---|---|---|---|---|---|---|---|---|
+| [event id/timestamp] | [4624/4625] | [2/3/9/10/etc.] | [code/reason] | [Kerberos/NTLM/etc.] | [process] | [IP/host/null] | [human/service/machine/break-glass] | [workstation/server/jump/file/app] | [Suspicious/Benign/Needs More Context] |
+
 ### Visibility Gaps
 [Log sources that were not available but would have provided relevant data]
 
@@ -443,9 +482,9 @@ No single log source provides complete visibility. Authentication logs show who
 
 The absence of logs can be as significant as their presence. If a server that normally generates 1000 events per hour suddenly shows zero events, the logging pipeline may be broken or an adversary may have disabled logging (T1070.001 -- Clear Windows Event Logs, T1562.001 -- Disable or Modify Tools). Monitor for gaps in log continuity.
 
-### Pitfall 4: Misinterpreting Event IDs Without Context
+### Pitfall 4: Misinterpreting Event IDs Without Field-Level Context
 
-A single Event ID can have very different meanings depending on the context. Event ID 4624 (successful logon) with LogonType 3 (network) is routine on a file server but suspicious on a developer workstation receiving inbound network logons. Always consider the LogonType, source/destination, user, time of day, and host role when interpreting events.
+A single Event ID can have very different meanings depending on the context. Event ID 4624 (successful logon) with LogonType 3 (network) is routine on a file server but suspicious on a developer workstation receiving inbound network logons. Event ID 4625 can indicate attack traffic, but SubStatus may show expired passwords, disabled accounts, lockouts, or policy-denied logon types. Always consider LogonType, Status/SubStatus, FailureReason, LogonProcess, AuthenticationPackage, source/destination, user/account class, time of day, and host role before assigning severity.
 
 ### Pitfall 5: Not Establishing Baselines Before Looking for Anomalies