Hi everyone. i'm very new to elasticsearch. Is it possible to create a dashboard in Kibana showing user account lockouts? If so, how? We used winlogbeat and elasticsearch. Appreciate the help..
To better understand, blocked users you want to get in dashboard is from kibana? or Active Directory Users?
Best regards.
Active Directory users. So, it's either disabled user accounts or user account lockouts.
In the winlogbeat settings you can filter the AD events that report this block. From there winlogbeat will ingest into elasticsearch and you will be able to create a dashboard in kibana.
I recommend reading the link below, about Sysmon for metrics enrichment:
Update: Sysmon module is in fact enabled. However, I can't see any users account lockout events in Kibana?
What if Sysmon module is not enabled or being used? Is it possible to just used the filter event.code:"4740" for account lockouts?
Yes. You can filter the event code using KQL, through the discover module. Below is a print as an example:
Hi. Thank you. I've tried using the event.code:"4740" and didn't see any result. Yesterday, one of our admin account was locked and that event didn't show in our logs (kibana discovery).
Update: I've tested it today and didn't see any event id of 4740. However, I saw event id 4625 and 4776 regarding the account lockout. For the event code 4625, it's registered as event.action: Account Lockout and event.outcome: Failure. While event.code: 4776, it has event.action: Credential Validation and event.outcome: Failure. These logs happened after I tried to login again knowing that my account is already locked. Unfortunately, I didn't see any logs about account lockout when it actually happened. Does this make sense?
While I am a beginner myself in this area, here is how I would troubleshoot:
- Does the windows native system log register the lockout event, i.e. in the windows logs that elasticsearch picks up?
- If not, perhaps the windows system is not configured to log the lockout event and write it to the native system log.
- If the native windows system log contains the event, perhaps the issue is somewhere in the winlogbeat configuration
Hi Dawn,
Thank you for the response.
We have an event collector server which is where winlogbeat is installed and running. There is a subscription setup from the domain controllers and the event collector server for the forwarded logs. On the domain controllers, I can see the account lockout (4740) event. I can also see the account lockout event on the event collector under event viewer > Applications and Services Logs > Domain Controllers > Security logs. Finally, I found out last Friday that I'm not seeing Security logs from our DC. It shows our event collector server as the host and not the DCs every time someone logs in to the DCs. It is possible that the winlogbeat configuration is the issue.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.