Re: Active Directory Lockout Log Tools

[Kevin Wilcox <wilcoxkm () APPSTATE EDU>]

On Mon, 29 Oct 2018 at 11:48, Justin Hensley
<justin.hensley () ucumberlands edu> wrote:

> We have been encountering an increased occurrence of user accounts being locked due to our AD lockout policy.  In the 
> past, almost all of these issues have been due to a user having a bad password in one of our university systems that 
> kept attempting to autologin and caused the lockout.  However, we now believe that attackers are attempting to brute 
> force the password with a known username on some accounts.  Would anyone have an suggestions on a quicker way to 
> track this activity back to an IP than sorting through all the AD logs?  Are there any tools out there to help with 
> this?

Justin - this is where I really love log agg and visualisation. This
is also 100% in the SIEM realm

Elastic/Splunk/LogRhythm/QRadar/pick-your-agg-tech all have dashboard
functions. A good dashboard will have:

o the locked accounts
o when they happened
o which system cut the log
o the raw logs themselves
o which system caused the lockout
o where to find the system that caused the lockout

I'm happy to share off-list an example from the dashboard that we use
for some AD lockouts. If you're interested in standing up a VM just to
demo Elastic with Windows logs, I'm happy to help there as well.

Hmm is the CFP for SPC going on? :)

kmw