Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials
Store

Local Filter - Domain Admin Login/Authentication Failures

Hello,

I am looking at creating this filter for domain admin login/authentication failures.

the filter uses the failedauthentication.destinationaccount which points to my directory service group for builtin domain admins. it also uses the userlogonfailure.destinationaccount which also points to the same builtin domain admins directory service group.

When I try to test this filter, I RDP to a domain connected server and try to login as my domain admin account. I use the right username but purposely try the password wrong. I would expect that my filter would see this and alert me but its not.

is there something im missing?

mbaker_wv

Find more posts tagged with

Accepted answers

All comments

npatterson

You must make sure the GPO for audit login if set for logging.

Check if your security event log shows the event

Next check if the user defines group is set up for domain admins for this the active directory configuration is required to pick the groups.

if just filter you can filter by directory service group only rules do this so you would have to make a user defined group to filter in live stream if that helps.

mbaker_wv

thanks for the reply npatterson

I found the issue this afternoon. I was looking at some logs when i RDP to a server and noticed that the logs were coming via the userauthticketfailure. Once i combined this with the domain admins group, the alert came rolling in. I figured it would have been picked up from userlogonfailure or authenticationfailure but it didn't.

Im working on something new now... i never get anything in security. That's my next goal lol. SEM is difficult to setup for sure and documentation isn't the best either lol. So far i have had to figure things out on my own and feel things out the whole way.

mbaker_wv