Crete alerts for disabled accounts

Hi,

I'm trying to create alerts for the Disabled account for Azure SSO but not able to find the context to that. Disabled account checks for event.code : 4725
Failed account checks for event.code : "4625"

The logs do not show anything related to the disabled account. Is there a way the alerts can this can be accomplished?

Thanks.!!!!!!!

Hello @ajoshi37 , and thanks for reaching out to the community. I'm having a little difficulty understanding what you're trying to achieve, but it sounds like getting alert data from azure to show up in Kibana.

Have you successfully set up an Azure integration with Kibana, and if so which one? From the looks of your question Im guessing you'd be looking for this one:

/s/default/app/integrations/detail/azure-1.3.0/overview?integration=activitylogs

Which can be set up following the steps below


Click add integration from the main menu (very bottom left). Search for Azure, and find the right integration that you need.

Once this is configured you can create your own alerts by navigating to Alerts, manage rules:



and from there creating your own rule based on whatever criteria you want. In your case a custom query of event.code : "4625" might be what youre looking for, but ensure that Kibana is querying the right indices or data view based on your Azure integration


.


If this isn't what youre trying to do, please provide somemore information and I'll try to figure it out with you.

Hi,

thanks for the follow-up. My alert is a little different.

We have Azure AD accounts which are disabled but we still use them for mailboxes/emails.
I'm trying to create an alert for the failed login attempt for the disabled Azure AD account which was disabled by us.
I'm not sure how to loop 2 Event.code into one alert.

Like first check for event.code : 4625 if only that matches than check for the event.code : "4725" for the same account.
Like if the login was failed from any account than, after that check for the disabled account list if that's from the disabled account.
But disabled account only have one event.code which is "4725" right.? Not sure how to implement that.

Hope I make sense now, thanks and let me know your thoughts.

Hey @ajoshi37 , Thanks for clarifying.

I'm wondering if you could go about it a different way. I'm not an Azure expert so feel free to correct me here, but what of doing a compound query for the failure to login alert.

Something like: error_code: 4625 and result_description: *account disabled*

The use of the asterisks would imply a partial match. So the query would look for failed login attempts based on the code 4625, and check that the result_description field has something related to account being disabled. You could take it a step further and use the precise language of the result_description, then the asterisks could be replaced with quotation marks.

Of course the fields may be named differently (event.code instead of error_code for eg), but theoretically this should work.

Looking at a mock response:

@ajoshi37, I reached out to some other elasticians and they shared that it seems like you want a sequence query. You could couple this with an event correlation query:

maybe something like:

sequence
  [event where event.code == "4725"]
  [event where event.code == "4625"]

Hi,

I tried using your suggested method but it was not successful for me.
We disabled one account today and it was not showing in the below "Rule Preview" after I tried failed attempt for the account as I saw your updates on the case. I can see failed attempt for the same account in Azure and Elastic but not in the Rule preview after applying the query for today


.

I was not able to check the suggested query in Discover < Logs*. Is there a way I can test the query and then update you if that will that work or not.?

Thanks and let me know your thought.
Apricate you are helping while as an Elastic Cloud Platinum member I was thrown at some docs which do not make any sense to this problem.

Can you share an entire event (the thing you truncated in your last picture on the left side. I want to see all the fields, feel free to hide the values if need be. Looks like since it's an EQL query it needs to match on an event category

sequence
  [ event_category_1 where condition_1 ]  
  [ event_category_2 where condition_2 ]

It kind of looks like your category field has the value iam

So you could maybe do:

sequence
  [ iam where event.code == "4725" ]  
  [ iam where event.code == "4625" ]

Send a better picture though so i can get a better look at your avaialble fields.

You can also test the query in your dev console:

Heres an eg of runnning a sequence query in the dev console:


Note that Im using behaviour as the event category. I knew it would be possible as the events I have in my database have behavior as a value for category.

Hey,

I have attached the details of the log-in below screenshot with some of the private values changed.
And I tried the query in the Dev tools as you suggested and got a valid response but not many details.

Thanks and let me know your thoughts.



Looking at the sequence docs you need to use the event category to denote the sequence

Your event category is "iam"

your query may look more like this:

sequence
  [ iam where event.code == "4725" ]  
  [ iam where event.code == "4625" ]

keyword above is iam. you may need to change the order though, meaning maybe 4625 first.

Can you send data for a 4625 event?

Hi, again.
Thanks for the follow-up

There is no IAM event in 4625, the category for that is authentication (line 129). Attaching the screenshot for your reference.
I tried the Query in Dev tools also with 4625 above but no luck, still the error.




Thanks and let me know your thoughts.

Do the two events happen right after each other? Or is the disabled one from way in the past? This might be problematic if so.

Is the data going to two different indices?

I see 1 index as .ds-logs-system-security, is this the index that both events get sent to?

If not you would need to create or use a data view to pool data from multiple sources. It looks like both events regardless of what indices they are, may be a part of your default data view so maybe that.

Though I am not certain of the order:

sequence
  [ authentication where event.code == "4625" ]  
  [ iam where event.code == "4725" ]

Will be closer to what youre looking for. With a consideration being a data view as mentioned above, and keeping in mind that this would work best if there is a usable time window. Meaning the disabled account events arent from 2 years ago, and the failed login attempt is yesterday, but rather when the failed login attempt happens, and triggers event A (bad login), another event- event B is also triggered soon after (disabled account), or vice versa. This way the sequence query has a small window of time to search.

I just did GET _cat/indices/logs-* and too many results came so, not sure which data stream they all going to.

These do not happen in a quick interval or it takes around 2-3 months to get the failed event details from the blocked account. It will be good if I can create that for some time, too.
I just tested one for the disabled user and nothing showed up. (provided the wrong password for the disabled account)

Thanks and let me know.

Please try the following queries in dev tools:

GET .ds-logs-system-security/_eql/search
{
  "query": """
    authentication where event.code == "4625"
  """
}
GET .ds-logs-system-security/_eql/search
{
  "query": """
    iam where event.code == "4725"
  """
}
GET .ds-logs-system-security/_eql/search
{
  "query": """
    sequence
    [iam where event.code == "4725"]
    [authentication where event.code == "4625"]
  """
}

Also you can find your data views here in the Stack Management section of Kibana, and see which indices they include:

HI,

I have saved the query and created the rule, but not seeing any alerts from that when I do a wrong password in the below screenshot but I see some output from the DEV tools.
The DEV tool output is not tailored it throws bad password for today and blocked account details for 3 months before which is odd and they do not match.
Like Alice wrong password today and Bob blocked account last month. (Has too many private information otherwise had attached a screenshot)

Thanks and let me know your thoughts.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.