2 Replies Latest reply on Dec 19, 2013 3:12 AM by mlev462251

    Windows AD Account Lockout

    docdriza

      Does any one know what the Signature ID is for and acocunt being locked out? On my AD server i see that an account was locked out, but I do not see the event in the SIEM.

       

      To further expand on my question, I would like to create an AD Audit view within the ESM. My Manager would like to see all of the account lok outs, failed logins and things along those lines.

       

      I am not asking for someone t do this for me, but getting an idea of what the signature ID are would be helpful.

       

      Thanks,

      Doc

       

      Message was edited by: docdriza on 12/18/13 2:21:48 PM CST
        • 1. Re: Windows AD Account Lockout
          JohnStark

          There are a couple of built-in dashboard views that you could use to get this information.  Under Complaince Views, select FISMA - Account Lockouts or 27002 - Account lockouts.  Another view under Complaince, is 27002 - All Domain Acct logon Failures..   Under Executive views, there is a Critical Authentication Issues view. That one will show more than account lockouts.

          • 2. Re: Windows AD Account Lockout
            mlev462251

            I suggest using Normalized IDs 405815296/18 and 405831680/18 as a filter on your domain controllers data to get acc locks & unlocks.

            1 of 1 people found this helpful