security_content icon indicating copy to clipboard operation
security_content copied to clipboard

Published 20 hours ago verified publisher icon splunk

[BUG] ESCU - Detect Excessive Account Lockouts From Endpoint

Open githubonlyy opened this issue 1 year ago • 3 comments

If you have a Splunk Support contract, creating a support case for your issue may result in faster resolution.

Describe the bug

The Caller Computer Name is not extracted in the alert only the domain controller

Expected behavior

The Caller Computer Name should be displayed has the source of the lockouts

Screenshots

If applicable, add screenshots to help explain your problem. image

App Version:

  • ESCU: [e.g. 4.17.0]
  • Splunk Security Essentials: [e.g. 3.7.1]

Additional context

I tested and locked out 6 accounts from 1 workstation and realized that the dest field was referring to the domain controller and not to the caller workstation

Examples of 4740 A user account was locked out.

Subject:

Security ID: SYSTEM Account Name: WIN-R9H529RIO4Y$ Account Domain: WORKGROUP Logon ID: 0x3e7

Account That Was Locked Out:

Security ID: WIN-R9H529RIO4Y\John Account Name: John

Additional Information:

Caller Computer Name: WIN-R9H529RIO4Y After that I saw that the dm dosent support this field which seems to be relavent to the src..

githubonlyy avatar Dec 14 '23 08:12 githubonlyy

Hello @githubonlyy : We tested this detection with the given attack data and noticed that we do not have the field called Caller Computer Name in our logs

It seems like the Windows TAlogs are not mapping Caller Computer Name to src or dest

image

Do you have a recommended SPL and a screenshot of how that would looks like will help better with understanding the ask!

patel-bhavin avatar Jan 25 '24 00:01 patel-bhavin

Did you want src as an output in the SPL. Here's what is looks like in our test env

image

patel-bhavin avatar Jan 25 '24 00:01 patel-bhavin

Exactly, has you see it is unknown when it should be the source computer that the lockout occurs on

‫בתאריך יום ה׳, 25 בינו׳ 2024 ב-2:53 מאת ‪Bhavin Patel‬‏ <‪ @.***‬‏>:‬

Did you want src as an output in the SPL. Here's what is looks like in our test env

image.png (view on web) https://github.com/splunk/security_content/assets/7771446/281314e4-7dd3-4fba-aef9-bffda3b6bc94

— Reply to this email directly, view it on GitHub https://github.com/splunk/security_content/issues/2929#issuecomment-1909167626, or unsubscribe https://github.com/notifications/unsubscribe-auth/AZBEAWNWLEDDFAN524IG4ZTYQGUH5AVCNFSM6AAAAABAUPC222VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMBZGE3DONRSGY . You are receiving this because you were mentioned.Message ID: @.***>

githubonlyy avatar Jan 25 '24 08:01 githubonlyy