9 Replies Latest reply on Jan 16, 2013 4:37 PM by nicole pauls

    TriGeo/LEM  Alert Rule - User Lockout...how to add DC info?

    Apollo

      I have a TriGeo/LEM rule that kicks off it an end user's account is locked out after so many attempts and it works great. I would like to have the email also include which domain controller it pulled that information from if possible. This could help us determine at what location this person was at at that time. Another nice to have would be from what machine the attempt was made from. If this is possible I could use some help on getting the actions dialog properly populated.

       

      Thank you.

       

      Steve

        • Re: TriGeo/LEM  Alert Rule - User Lockout...how to add DC info?
          nicole pauls

          One option is to switch to the "Account Lockout" template from the "Account Modification" template.

           

          $info = UserDisable.EventInfo (which contains the name of the account)

          $date = UserDisable.DetectionTime (when)

          $source = UserDisable.SourceMachine (computer where the user was locked out)

          $dest = UserDisable.DestinationMachine (DC where the lock was activated - could also use InsertionIP if it's coming from that DC's event log)

           

          The other option would be to add new SourceMachine and DestinationMachine fields to your template (in Build > Groups) and populate those fields as above in the rule. The new fields will appear when edit the rule after updating the template (so if you've got the rule open, be sure to close it first).

           

          Let me know if a screenshot or anything would help!

            • Re: TriGeo/LEM  Alert Rule - User Lockout...how to add DC info?
              Apollo

              Nicole,

               

              Thank you. I've actually set up the Account Lockout rule yesterday and would like the ability to have the alert include the offending IP, but I don't think that's possible without having an agent on the workstation itself. Cost wise, that just isn't feasible.

               

              Is there a way to add the alert information (windows event narrative) within the email alert as well?

               

              ~Steve

                • Re: TriGeo/LEM  Alert Rule - User Lockout...how to add DC info?
                  nicole pauls

                  When the DC records the event, it does record the workstation that served the last logon failure that triggered the lockout - so you SHOULD be getting that information. Now, if they were failing to log on from multiple different sources, it will just show the source of the last one, since the last one is what caused the actual account lockout to trigger. There are multiple UserDisable events that fire when the lockout happens so you should probably look for the one that says "Account Lock" (or Lockout or Locked) in the EventInfo field, or Security 644 or Security 4740 in the ProviderSID. You'll see duplicates about the account being changed that won't have that extra detail.

                   

                  If you're looking at the DC's Event Log event itself (Event ID 644 or 4740) this is the "Caller Computer Name" or "Caller Computer Name" value, which we put in SourceMachine.

                   

                  Everything that comes into the Windows Event gets translated in LEM - so you should have the same resultant data in our fields, but you don't have the original source event as it's seen in the event log. Interestingly, the event log is 2 pieces, one of which is dynamic and the other is like a template. What gets saved in the log is "use template for Event ID 644 with these fields" (which is why sometimes you see the error in the event log when you access it remotely without the application installed that says something like "I'm not sure what this is, but here's the data").

                   

                  Anyway, if you're looking at a particular field in the event log and want to know where it went in LEM, let me know what event ID and field you're looking at and we can translate. With the Windows Security Log, we tried not to drop ANY information from the values that are stored (other than the template text).

                    • Re: TriGeo/LEM  Alert Rule - User Lockout...how to add DC info?
                      Apollo

                      Nicole,

                       

                      Right now I have the following in this template:

                       

                       

                      System: $info

                      At $date

                      From: $DetectionIP

                      Source: $source

                      Destination: $dest

                       

                      When the alert kicks of I'm getting the domain controller name from the $DetectionIP and from the $Source (same information). The destination information is usually blank. The $info does populate with the proper domain and account that was locked.

                       

                      ~Steve

                        • Re: TriGeo/LEM  Alert Rule - User Lockout...how to add DC info?
                          nicole pauls

                          Looks right. Maybe you're catching the resultant UserDisable events and not the original? You might drop in the ProviderSID and make sure it's 644/4740 (the "Account Lockout" not "Account Disable" event), or check using a search/filter to see what's causing the rule to fire. When it fires, do you get more than one email?

                            • Re: TriGeo/LEM  Alert Rule - User Lockout...how to add DC info?
                              Apollo


                              Verifed that I'm using the account lockout event (as far as I can tell from the template). Only one email fired per lockout as well.

                                • Re: TriGeo/LEM  Alert Rule - User Lockout...how to add DC info?
                                  nicole pauls

                                  I read a few TechNet articles on this question (blank caller name) and came up with a few things that won't have the name in there:

                                  1. A device not joined to the domain but triggers a domain lockout (say a workstation that's in a workgroup but logging on to domain resources like file shares by manually typing in username/password at prompts)
                                  2. A device not on the local network (e.g. smartphone remotely accessing mail)
                                  3. Any other non-Windows systems (Linux/OSX, NAS, proxy, etc)
                                  4. Something that doesn't have DNS/NetBIOS resolution
                                  5. A lockout from services, instead of an interactive logon

                                   

                                  In one thread, someone from Microsoft replied that in order to make it reliable they'd have to do some non-standard stuff... like that's been a problem before?

                                   

                                  Unfortunately the original logon failures happen at the endpoint where they were generated, as you already know, so unless they are failing to a service/server that's on the domain and has local event log coverage, they might be hard to track down. I'd probably run an nDepth search on UserLogonFailure.DestinationAccount = <user that was locked out> to see if I could trace it back, but it's unfortunate that the lockout just doesn't have it.

                                    • Re: TriGeo/LEM  Alert Rule - User Lockout...how to add DC info?
                                      Apollo

                                      Nicole,

                                       

                                      That's exactly what we're trying to verify...A device not on the local network (e.g. smartphone remotely accessing mail). We have one iPhone user that keeps getting locked out of his domain account. We've tracked it down to either a virus, Windows backup login error or a Smartphone). No viruses found and we've disabled the windows backup service so we're back to thinking its his Smarphone. Apple support forums show/acknoledge this issue, but comes short of admittion or a solution.

                                       

                                      Thank you very much for your input. Its been very helpful.

                                       

                                      Steve

                                        • Re: TriGeo/LEM  Alert Rule - User Lockout...how to add DC info?
                                          nicole pauls

                                          With Exchange, when I saw this problem with phones, I saw the original logon failures either in IIS or on the Exchange server. You might dig back just on that username and see what events they are generating around that time period in general and see if you can spot some UserLogonFailures anywhere in there. (In LEM, open nDepth and replace the blank at the top with their username, which will search everything that contains their username; might need to refine timeframe to one around a lockout event, then you can dig in from there with further refinement)

                                           

                                          Another possible lead.... I'd expect you might see UserAuthTicketFailure alerts if you've got your domain policy set to audit both kinds of logon failures (not just "account logons" but "logons"). Those are logged by Kerberos directly and might provide another angle to trace back, especially if it's coming through something that authenticates with LDAP directly. They are often not hugely useful or duplicate actual UserLogonFailures, but in this case you might need the redundancy since you're having trouble tracking it down.