SolarWinds AppInsight component “Account failed to logon event” as delivered is not performing as intended, not performing as documented, and this should be reported as a bug. However, I have been informed the issue must be first vetted as a feature request prior to be accepted by development as an actual bug.
Description as documented:
AppInsight for Active Directory “Account failed to logon event” component details: “This monitor returns the number of failed login events with incorrect username or password. Event ID: 4625. Check for attempts where Target Account Name equals Administrator or the renamed default administrator account. Check multiple logon failures that are below the account lockout threshold.”
Description as functioning/delivered:
AppInsight for Active Directory “Account failed to logon event” component details: “This monitor returns the number of failed login events with incorrect username or password. Event ID: 4625. Check multiple logon failures that are below the account lockout threshold.”
The AppInsight component should filter on the default Domain Administrator and report failed logons. Best practice would be that no interactive logons are being allowed for the default Administrator and so this AppInsight monitor would alert when logon attempts are greater than 1.
If the developers choose, the alert could be expanded to filter by customer-selectable Active Directory groups, for example, Domain Admins. This would allow thresholds to alert when multiple high-risk accounts are failing to logon (indicating a below-lockout threshold password cracking attempt is underway).
