3 Replies Latest reply on Jan 7, 2013 2:08 PM by nicole pauls

    build an nDepth query

    kris_mortensen

      I need urgent assistance in trying to build an nDepth query. I need to see all authentication attempts (whether failed or sucessful) for a particular Active Directory account within the last two days. Account lockouts for that account during the same time frame would be helpful to see as well. How do I generate this query?

        • Re: build an nDepth query
          Chrystal Taylor

          In the nDepth tool, I would navigate to the Search Builder (the last selection on the bottom) to make it easier to build.  Then you can try with:

          Events>Failed Authentication>Destination Account OR

          Events>UserAuthTicketFailure>Destination Account OR

          Events>UserAuthTicket>Destination Account

           

          See if that gets you the information you need.

           

          Hope this helps

           

          Chrystal Taylor

          http://www.loop1systems.com

            • Re: build an nDepth query
              kris_mortensen

              Thank you! It looks like this shows me what I am looking for.

                • Re: build an nDepth query
                  nicole pauls

                  Handy tip - if you have a filter that shows you what you're interested in in real time, you can always go Gear (on the top left) -> send to nDepth to search for the same data historically.

                   

                  You might want to use an Alert/Event Group to expand to all types of "Auth Audit Events" (not just individuals) - something like Auth Audit Events.DestinationAccount = <blah>. DestinationAccount generally shows you the target account (the account being logged on TO), SourceAccount shows you the account events might be coming from (usually only for changes).

                   

                  nDepth also has a common/combined field called "Username". You can build some queries after the fact that just use the fields and don't refine to specific event types by dragging that field from the "Refine Fields" to the search bar/search area.