Ultimately I'm trying to create a rule to detect when a user has had multiple account lockouts over a predefined period of time. The problem that I'm dealing with is that in our environment when a user is "locked out" the event is reported across multiple data sources as the lockout is synced across multiple domain controllers. So a single lockout is reported as 2-4 lockouts. This skews my reporting and my ability to accurately alert on repeat lockouts.
I've created a rule to match Signature ID: 43-26304700 (out of the box windows event ID for account lockout) where I group by 'Source User' and have an advanced option set to 1 distinct Source User and a Time_Window parameter to 2 seconds. I'm trying to say "If a unique source user was observed matching the 'account lockout' signature ID within a period of 2 seconds make that a single "lockout" event. Not sure that this rule is set up right (or that I'm taking the right approach) but either way the rule is still matching on each individual lockout.
SIEM aside, how would you describe events that should be correlated vs. not? If you were just looking at the events, from multiple DCs, how could you tell which events were the events you cared about and which were duplicates? Thanks.
I would describe events I want correlated as:
- SignatureID = 43-263047400 (Windows event ID 4740 - Account Lockout)
- Source User = Unique (same Source User)
Time Window = (1 second)
My thinking here is that it would correlate all observed lockout events (from our multiple DCs) where the source user is the same and the events happened within one second of each other. Wouldn't this capture all lockout events by a single user within 1 second as a single "lockout"?
When I look at lockout events in ESM I see users that have (for example) 8 reported lockouts when in fact they have two. One lockout took place at 12:00PM and was logged in 4 DC logs and the other took place at 14:00 and was logged in 4 DC logs. I'm looking to create a rule (again not sure if rule is the right place to do this) here the 4 events at 12:00 would be one lockout event and the 4 events at 14:00 is another lockout event.
Ultimately I would use this rule to make another rule to trigger for users that have had multiple account lockouts over 24 hours, etc
Not sure if that answered your question?
I think a time window like that is a bit too granular to yield consistent results with so many variables.
What is a normal amount of time for an account to be locked out, unlocked and locked out again?
Or, would it be possible to only correlate events from a single DC for lockouts? Thanks.
I'll open up the time window -- I did have it set to 10 seconds previously. I cannot use a single DC because the lockouts are not consistent (sometimes users only get locked out on DC1 and DC2 but not 3 or 4, etc). I can say that the lockout times are always consistent across the DCs.
Some background information as to why you are seeing duplicate lockout events.
The number of lockout events will depend on how your Active Directory Admins setup the Domain Controller Replication Partners in Sites and Services (I believe).
If it is a remote site, with low bandwidth, and many hops, the lag time will increase between the duplicate lockout events.
Once you create your Account Lockout rule that will try to reduce your 2-4 lockout events down to 1, you can then create another correlation rule to correlate on the results of the first.
So if Betty Sue's account locks out at 8:00 am, and again at 10:30 am, and lastly at 3:00 pm, it should have triggered 3 lockouts based on your first correlation, and maybe 1 event when looking for multiple lockouts within a given time for a given user.
I am seeing similar issues in my environment. One account signs on 5 times with wrong password and the account locks. This triggers the EventID 4740 for an account lockout. One would think the account change could occur only once on one DC. As in theory the following DCs couldn't modify an account that is already locked.
We could write rules upon rules to aggregate the event with some degree of accuracy. But the failure in accuracy is on the DC. Why is this event, showing up in multiple DCs. Has anyone figured out a reason for multiple events in the first place? Is it Domain functional level, Encryption Schemas on the endpoints, related to performance on the DCs?