I have an reporting / search requirement on Active Directory events. I am using winlogbeat to read events out of windows event log. Streaming these events to LogStash and further on to a log file and elasticsearch.
I have managed to search/report on few of the requirements. One req that I am having challenge with is, Consecutive failures to logon to a high value asset.
Can you please advise on how this could be done. Need to first classify specific systems connected to the domain as high value ones and then capture logon failures to these.
Thanks for the assistance.