EvlWatcher icon indicating copy to clipboard operation
EvlWatcher copied to clipboard

Published 20 hours ago verified publisher icon devnulli

[Enhancement] Correlation support - No authentication success event

Open AvrumFeldman opened this issue 10 months ago • 1 comments

Hi,

I recall seeing you mention somewhere you plan on implementing correlation but cannot find now where.

It would be a great feature addition to add some correlation support, at least for TerminalServices-Gateway event logs, which only report authentication success and not authentication failures.

I've written up a basic script (see blow) that I planned on running on an RD Gateway to create event logs to be parsed by EvlWatcher. I ran into a challenge on how to handle events that happened during an extended period my script didn't run, where it can introduce a condition where EvlWatcher will ban an IP only because my script reported at once multiple failed authentication request even though in reality these failed events happened over a span of time but are reported at once just because my script processed all of those now since it is now catching up.

I figure if the correlation can be somehow added into EvlWatcher it would solve the whole challenge, since EvlWatcher internally would compare the time ranges between the events.

Very simple script I wrote. It's still missing the Windows EventLog creation but that should be trivial to add. As we can see, the correlation code is all 4 lines long.

$LastEventPath = ".\LastEvent.txt"

if (Test-Path $LastEventPath) {
    $EventFilter_TimeStart = ([datetime](Get-Content $LastEventPath)).AddSeconds(1)
} else {
    $EventFilter_TimeStart = (Get-Date).AddDays(-100)
}

$Events = Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TerminalServices-Gateway/operational'; StartTime=$EventFilter_TimeStart; EndTime=(get-date).AddMinutes(-1) } -ErrorAction:SilentlyContinue

# This is the code that actually does the correlation, it returns the events that don't have a follow up authentication success. 
$FailedAuth = $Events | group ActivityId |  % {
    if (($_.group.id -match "\b312\b") -and ($_.group.Count -eq 1)) {
        $_.group
    }
}

# Save to disk last event datetime to be used for next script run event filter starttime.
if ($events) {
    $LastEventTime = ($events | sort timecreated)[-1].timecreated
} else {
    $LastEventTime = get-date
}
$LastEventTime.ToString() | Out-File $LastEventPath -Encoding utf7 -Force

Edit: The reason we need to monitor this event log is because on a RD Gateway event 4625 doesn't get generated when the username is correct but the password is incorrect.

AvrumFeldman avatar Apr 01 '24 20:04 AvrumFeldman