Re: Active Directory Lockout Log Tools

[Taylor Randle <TRandle () PARKER EDU>]

Hi Justin,

Most tools I've found really just help you get to the server/service causing the lockout quicker - generally some log 
examination/traffic correlation will still necessary after that to get to the source IP but I've found that these have 
helped us by proactively alerting on lockouts and cutting the investigation time down.

ManageEngine's ADAudit Plus -<https://www.manageengine.com/products/active-directory-audit/> specifically the Account 
Lockout 
Analyzer<https://www.manageengine.com/products/active-directory-audit/windows-ad-user-account-lockout-analyzer.html> 
functionality. This is paid for but is a nice centralized place for analyzing many common AD tasks and can also send 
alerts.
Netwrix's Account Lockout Examiner<https://www.netwrix.com/account_lockout_examiner.html> (free but you have to 
register a "business email" and will forever receive sales emails after)
Microsoft's Account Lockout & Management Tools<https://www.microsoft.com/en-us/download/details.aspx?id=18465> (free)

If you have the time, setting up something like the Elastic Stack (formerly known as the ELK 
stack)<https://www.elastic.co/products> to centralize DC/firewall logs and set up a dashboard for correlation.

Thanks!
Taylor

Taylor Randle
Director of Client Services & IT Security

[Description: Description: Description: 
https://www.parker.edu/uploadedImages/0000_Home/0012_Images/Email_Signature/Parker_H_RGB.png]

2540 Walnut Hill Lane, Dallas, TX 75229
T: 214.902.2439 | F: 214.902.2431
trandle () parker edu<mailto:trandle () parker edu>
www.parker.edu<http://www.parker.edu/> | www.parkerseminars.com<http://www.parkerseminars.com/>

[Description: Description: Description: 
https://www.parker.edu/uploadedImages/0000_Home/0012_Images/Email_Signature/Twitter_Icon_RGB.png]<http://www.twitter.com/ParkerUniv>

................................................





From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Justin Hensley
Sent: Monday, October 29, 2018 10:38 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Active Directory Lockout Log Tools

Hello All:
We have been encountering an increased occurrence of user accounts being locked due to our AD lockout policy.  In the 
past, almost all of these issues have been due to a user having a bad password in one of our university systems that 
kept attempting to autologin and caused the lockout.  However, we now believe that attackers are attempting to brute 
force the password with a known username on some accounts.  Would anyone have an suggestions on a quicker way to track 
this activity back to an IP than sorting through all the AD logs?  Are there any tools out there to help with this?

Thanks.

Justin O. Hensley, CEH, CISSP
University of the Cumberlands
Director of Information Security
Division of Information Services
Gatliff Administration Building | Lower Level | Room 008
104 Maple Street, Williamsburg, KY, 40769
606.539.4197 Office | 606.280.3114 Mobile | 606.539.4144 Fax
justin.hensley () ucumberlands edu<mailto:justin.hensley () ucumberlands edu>
www.ucumberlands.edu<https://protect-us.mimecast.com/s/sGX4Cn5lJWF7MMgpu97rnY?domain=ucumberlands.edu>

CONFIDENTIALITY: This email (including any attachments) may contain confidential, proprietary and privileged 
information, and unauthorized disclosure or use is prohibited. If you received this email in error, please notify the 
sender and delete this email from your system. Thank you.