I'm looking at how the Windows events are parsed and am not finding a simple way yet, but will keep looking and maybe something will jump out. I would like to suggest another approach. This approach would involve creating a dynamic watchlist which queries AD every x hours and creates a list of users who have this flag set. This list could then be used as a filter in the report. Depedning on your use case there are a couple of different approaches which I'll present here at a high level.
Use Case 1: A report of users created with the flag set for Password Never Expires.
(Create a dynamic watchlist of type destination user which will query AD for the list required.)
- Open Watchlists and click add.
- Main tab - Enter name, select Dynamic, enable automatic updates and select an update frequency and time.
- Source tab - select LDAP, add the IP and the credentials.
- Query - Set the Lookup Attribute to sAMAccountName (default) and paste the following query
- Values tab - select type of destination user then run now.It is destination user since the source user field in these events is the user that created the user and destination user is the name of the user created.
From here create a report or view which filters on the appropriate windows ID. You can do this from a filter list for Signature ID, select Windows and enter the signature ID such as 4738, and add a filter for the destination user being in the watchlist created above.
Use Case 2: Create a list of user IDs as above to use in correlation rules, reports or views.
- Create a watchlist exactly as above but on the values tab select Source User instead of destination user. When a user logs in the id is in the source user field.
- You can then create reports, views and correlations using the source user watchlist as a filter and this will provide real time monitoring of these users and their activity.
Hope this helps, and if I find out anything more I will let you know.
Thanks Mike! I will try these. Been searching for weeks on how to set this up and get results. I will update any progress
You have the Query as "1. help". Looks like your query did not paste correctly in the conversation pane?
The query should be:
I am using the LDAP source type "LDAP", IP of one of our DC's and account cred's of a common LDAP accuont we use to query AD. When I test the query, I get this:
Failed to authenticate ldapqry: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1 ]
The creds are correct and this account is in the correct AD groups so it should have the right permissions.Any ideas?
I've run into this error before, and its an error returned by AD that indicates invalid credentials. The code after the data token in the error message which is 52e is 'Invalid Credentials'.
You can find out more at this link regarding that error.
Yes, I found that link and no help. The account I am using is valid and I tested with other accounts as well, all the same error.
Is it possible your AD admin has enabled secure AD or has AD running on a non-standard port. If so it will be on a different port. If that is the case for the IP address enter it as IP:port such as 220.127.116.11:3890