Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] ESCU - Detect Excessive Account Lockouts From Endpoint #2929

Open
githubonlyy opened this issue Dec 14, 2023 · 3 comments
Open

[BUG] ESCU - Detect Excessive Account Lockouts From Endpoint #2929

githubonlyy opened this issue Dec 14, 2023 · 3 comments
Assignees
@patel-bhavin
Labels
bug Something isn't working

Comments

@githubonlyy
Copy link

If you have a Splunk Support contract, creating a support case for your issue may result in faster resolution.

Describe the bug

The Caller Computer Name is not extracted in the alert only the domain controller

Expected behavior

The Caller Computer Name should be displayed has the source of the lockouts

Screenshots

If applicable, add screenshots to help explain your problem.
image

App Version:

  • ESCU: [e.g. 4.17.0]
  • Splunk Security Essentials: [e.g. 3.7.1]

Additional context

I tested and locked out 6 accounts from 1 workstation and realized that the dest field was referring to the domain controller and not to the caller workstation

Examples of 4740
A user account was locked out.

Subject:

Security ID: SYSTEM
Account Name: WIN-R9H529RIO4Y$
Account Domain: WORKGROUP
Logon ID: 0x3e7

Account That Was Locked Out:

Security ID: WIN-R9H529RIO4Y\John
Account Name: John

Additional Information:

Caller Computer Name: WIN-R9H529RIO4Y
After that I saw that the dm dosent support this field which seems to be relavent to the src..
@githubonlyy githubonlyy added the bug Something isn't working label Dec 14, 2023
@patel-bhavin
Copy link
Contributor

Hello @githubonlyy :
We tested this detection with the given attack data and noticed that we do not have the field called Caller Computer Name in our logs

It seems like the Windows TAlogs are not mapping Caller Computer Name to src or dest

image

Do you have a recommended SPL and a screenshot of how that would looks like will help better with understanding the ask!

@patel-bhavin
Copy link
Contributor

Did you want src as an output in the SPL. Here's what is looks like in our test env

image

@githubonlyy
Copy link
Author

githubonlyy commented Jan 25, 2024 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@patel-bhavin patel-bhavin

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@patel-bhavin @githubonlyy