-
Notifications
You must be signed in to change notification settings - Fork 359
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] ESCU - Detect Excessive Account Lockouts From Endpoint #2929
Labels
bug
Something isn't working
Comments
Hello @githubonlyy : It seems like the Windows TAlogs are not mapping Caller Computer Name to src or dest Do you have a recommended SPL and a screenshot of how that would looks like will help better with understanding the ask! |
Exactly, has you see it is unknown when it should be the source computer
that the lockout occurs on
בתאריך יום ה׳, 25 בינו׳ 2024 ב-2:53 מאת Bhavin Patel <
***@***.***>:
… Did you want src as an output in the SPL. Here's what is looks like in our
test env
image.png (view on web)
<https://github.com/splunk/security_content/assets/7771446/281314e4-7dd3-4fba-aef9-bffda3b6bc94>
—
Reply to this email directly, view it on GitHub
<#2929 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AZBEAWNWLEDDFAN524IG4ZTYQGUH5AVCNFSM6AAAAABAUPC222VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMBZGE3DONRSGY>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If you have a Splunk Support contract, creating a support case for your issue may result in faster resolution.
Describe the bug
The Caller Computer Name is not extracted in the alert only the domain controller
Expected behavior
The Caller Computer Name should be displayed has the source of the lockouts
Screenshots
If applicable, add screenshots to help explain your problem.
App Version:
Additional context
I tested and locked out 6 accounts from 1 workstation and realized that the dest field was referring to the domain controller and not to the caller workstation
Examples of 4740
A user account was locked out.
Subject:
Security ID: SYSTEM
Account Name: WIN-R9H529RIO4Y$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Account That Was Locked Out:
Security ID: WIN-R9H529RIO4Y\John
Account Name: John
Additional Information:
Caller Computer Name: WIN-R9H529RIO4Y
After that I saw that the dm dosent support this field which seems to be relavent to the src..
The text was updated successfully, but these errors were encountered: