I have an reporting / search requirement on Active Directory events. I am using winlogbeat to read events out of windows event log. Streaming these events to LogStash and further on to a log file and elasticsearch.
I have managed to search/report on few of the requirements. One req that I am having challenge with is, Consecutive failures to logon to a high value asset.
Can you please advise on how this could be done. Need to first classify specific systems connected to the domain as high value ones and then capture logon failures to these.
Than you can filter for the ips of the hosts(event_data.IpAddress) that interest you.
As a bonus in the field event_data.TargetUserName is the username of the user that tried to login written and in the field event_data.Status is written what has failed the auth.
I agree with Shaoranlaos's suggestion. I actually have a saved search in Kibana for our desktop people to use that includes the fields he mentioned and I also have a transform on the event_id field that links to https://www.ultimatewindowssecurity.com's event description. If you are using Kibana, set the format to URL, Type to Link, and then use https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID={{value}} on the URL Template and [[value]] on the Label Template.
As a side note, if you want to identify any high value assets, you could tag events generated by them with an if in your pipeline and then use the mutate filter to add a tag or even an additional field if you wanted.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.