Understanding Sonicwall Credential Auditor Event Logs

The Credential Auditor feature in SonicOS enhances security by detecting user credentials that may have been exposed in known data breaches. It compares login attempts against a database of compromised credentials and generates event logs accordingly.

Starting with, SonicOS 7.3.3 and SonicOS 8.2.2, the Credential Auditor is enabled by default.

For a full overview of the feature, refer to:
https://www.sonicwall.com/support/knowledge-base/understanding-and-using-credential-auditor-on-sonicwall-firewalls/kA1VN00000088Bh0AI

Event Message

"Allowed a login attempt by a user whose password was found to have possibly been compromised."

This event indicates that:

• A user successfully authenticated to the firewall or an associated service.
• The password used in the login attempt matches an entry in the Credential Auditor database.
• The system has identified the password as potentially compromised (e.g., exposed in previous data breaches).
• Despite the risk, the login was allowed, depending on current policy settings.
• This event is generated for users authenticated through external authentication mechanisms (e.g. LDAP) when the supplied password is identified as compromised by the Credential Auditor database.

Note: This event does not indicate an active breach, but rather a high-risk condition.

To block the login of externally authenticated users with a potentially compromised password, please navigate to DEVICE | Users | Settings - Credential Auditor. Under DURING LOGIN, Enable "Block login of externally authenticated users with a compromised password"

Event Message