SOC Event Lookup
Event ID 5827NetlogonP2

Windows Event ID 5827: Netlogon denied a vulnerable secure channel connection (machine)

Netlogon Event ID 5827 records that a domain controller denied a vulnerable Netlogon secure channel connection from a machine account.

Applicable version
Windows Server 2008 R2 and later
Last reviewed
2026-07-13

Trigger Scenarios

Microsoft documents this event for CVE-2020-1472 Netlogon secure channel enforcement when a vulnerable machine-account connection is denied.

Key Fields

Machine SamAccountName

The machine account whose vulnerable secure channel connection was denied.

Domain / Account Type

Identifies the domain context and account category for the denied Netlogon connection.

Machine Operating System / Build / Service Pack

Version fields provided in the Microsoft event message and used to verify whether the client is patched or a non-compliant device.

Common False Positives

  • Unpatched or third-party Netlogon clients can trigger denials after enforcement without being active exploitation.
  • Legacy appliances may require vendor remediation and temporary allow-list review, but the vulnerable state is real.

Related Events

MITRE ATT&CK Mapping

  • T1210Exploitation of Remote Services

Detection Notes

Use threshold=1 denied vulnerable machine account connection on a domain controller. Microsoft documents Event 5827 as a denied vulnerable Netlogon secure channel connection from a machine account during CVE-2020-1472 enforcement; that condition is relevant to T1210 Exploitation of Remote Services because Zerologon abuses Netlogon secure channel behavior. Triage Machine SamAccountName, Domain, Account Type, Machine Operating System Build, and any corresponding 5830 allow-list events before deciding whether this is exploitation or an unpatched device.

Microsoft Sentinel KQL
SecurityEvent
| where EventID == 5827
| project TimeGenerated, Computer, Account
Splunk SPL
index=wineventlog EventCode=5827 | table _time, host
Sample Log
EventID: 5827
Machine SamAccountName: LEGACY-NAS$
Domain: CORP
Account Type: Workstation Trust
Machine Operating System Build: 7601

Source