AD - Winlogbeat - Consecutive failures to logon to specific set of computers

Hi,

I have an reporting / search requirement on Active Directory events. I am using winlogbeat to read events out of windows event log. Streaming these events to LogStash and further on to a log file and elasticsearch.

I have managed to search/report on few of the requirements. One req that I am having challenge with is, Consecutive failures to logon to a high value asset.

Can you please advise on how this could be done. Need to first classify specific systems connected to the domain as high value ones and then capture logon failures to these.

Thanks for the assistance.

We have something simliar set up but with watching all login failures on all server.

In the data from the winlogbeat there are the 4 fields

  • event_id
  • event_data.IpAddress
  • event_data.TargetUserName
  • event_data.Status

Search in the field event_id for 4771 (see Kerberos auth failed)

Than you can filter for the ips of the hosts(event_data.IpAddress) that interest you.

As a bonus in the field event_data.TargetUserName is the username of the user that tried to login written and in the field event_data.Status is written what has failed the auth.

  • 0x18: Bad password
  • 0x12: Account disabled, expired, locked out, logon hours restriction
  • 0x25: Workstation's clock too far out of sync with DC's
2 Likes

I agree with Shaoranlaos's suggestion. I actually have a saved search in Kibana for our desktop people to use that includes the fields he mentioned and I also have a transform on the event_id field that links to https://www.ultimatewindowssecurity.com's event description. If you are using Kibana, set the format to URL, Type to Link, and then use https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID={{value}} on the URL Template and [[value]] on the Label Template.

As a side note, if you want to identify any high value assets, you could tag events generated by them with an if in your pipeline and then use the mutate filter to add a tag or even an additional field if you wanted.

This is awesome. Thanks a lot. I will give this a go.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.