4 Replies Latest reply on Feb 28, 2017 3:18 PM by zor999

    Alert on login attempts of disabled accounts


      I am pretty new to LEM (6.3.1) and am having some problems setting up a new rule.  I am trying to create a rule that will email me an alert when there is a login attempt of a disabled domain account.  I have email and the Directory Services Connector working for other rules so I'm okay there.  I have a Directory Services Group defined for the Domain group I created called "Disabled Accounts".  My problem is I am not sure how to craft the Correlations to get LEM to alert on login attempts for that group.


      I would rather learn this and not just be handed a solution so if anyone could point me in the right direction that would be great.  I found nothing useful in the User Guide nor the KB's on Solarwinds site but if there is something in either place that I missed that answers my question a link/page number would be perfect.


      thank you


        • Re: Alert on login attempts of disabled accounts

          Okay, so in an effort to not put the answer on a platter...


          I have a test domain and I have some disabled accounts.  I tried to mstsc from one server to another with a disabled account, and in LEM I see this:


          2017-02-28 10_00_36-SolarWinds Log & Event Manager.png


          Now, I have to admit that I'm not super familiar with this particular event, so I went to Randy Smith and asked what it meant.  I got this page:


          Windows Security Log Event ID 4768 - A Kerberos authentication ticket (TGT) was requested


          Now, if you look at the sample event, in the Extraneous Info field you can see a status code, "0x12" which I highlighted.  According to Randy, that means that the client account is:


          0x12Clients credentials have been revokedAccount disabled, expired, locked out, logon hours.


          So, good news!  You don't need a special AD group, because you can run the correlation off any account that is disabled, regardless of group membership!


          Therefore, I'd say you'd want to start with a correlation for UserAuthTicket events (that's the event type that I got) and look in the ExtraneousInfo field for that 0x12 string, and maybe look for a ProviderSID of Microsoft-Windows-Security 4768.


          Let me know if you want more than that to help you on your way!

          1 of 1 people found this helpful
          • Re: Alert on login attempts of disabled accounts

            I am all set.  I now receive an email when a disabled domain user account is used to try to login.  Thank you for stepping me through it.  I think I understand a lot of different aspects of the rule building process.