The rule 60204 is inaccurate

[crolopez]

This rule can be triggered by a combination of failed 4769 events, which is triggered every time a Windows resource is requested according to documentation.

This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.

We should reconsider to give a level 10 alert if this event is processed 8 times since users may think that someone is trying to log into their systems. The risk of false positives with this rule is high.

https://github.com/wazuh/wazuh-ruleset/blob/1133f46fe69eab88c19ff7cc14beb17a13692e49/rules/0580-win-security_rules.xml#L867-L873

Thanks to PR for reporting this case of use through our Slack channel.

[kmahyyg]

So it still leaves here, and this repo got archived, and still not fixed after 3 years?

Ref: https://github.com/wazuh/wazuh/blob/master/ruleset/rules/0580-win-security_rules.xml

[MaxDiOrio]

It's completely flooding alerts since it's called on success. The log has: Failure Code: 0xD which isn't actually a real failure. The action is successful and legitimate. In my case, it's service accounts refreshing their ticket when accessing domain resources from a K8S pod.

It's still logged as an audit failure though. Probably need additional filtering.