Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectioninformationalstable

Locked Workstation

Detects locked workstation session events that occur automatically after a standard period of inactivity.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Alexandr Yampolskyi, SOC PrimeCreated Tue Mar 26Updated Mon Dec 11411742ad-89b0-49cb-a7b0-3971b5c1e0a4windows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security
Detection Logic
Detection Logic1 selector
detection:
    selection:
        EventID: 4800
    condition: selection
False Positives

Likely

References
1
Resolving title…
cisecurity.org
2
Resolving title…
pcisecuritystandards.org
3
Resolving title…
nvlpubs.nist.gov
4
Resolving title…
ultimatewindowssecurity.com
MITRE ATT&CK
Rule Metadata
Rule ID
411742ad-89b0-49cb-a7b0-3971b5c1e0a4
Status
stable
Level
informational
Type
Detection
Created
Tue Mar 26
Modified
Mon Dec 11
Author
Alexandr Yampolskyi, SOC Prime
Path
rules/windows/builtin/security/win_security_workstation_was_locked.yml
Raw Tags
attack.impact
View on GitHub