![]() Let build_mess_0 = concat("Failed Password Attempt - ", to_string($message.winlog_event_data_TargetUserName)) //build out explanation for Error message Let LogonTypeErr = lookup_value("WinLogonErr" ,to_string($message.winlog_event_data_SubStatus), 0) //lookup error reason in pre-built table. ![]() Let LogonTypeResult = lookup_value("winLogonType",LogonTypeNumber, 0) //Lookup logon type against bre-built table Let LogonTypeNumber = to_string($message.winlog_event_data_LogonType) //logon type. Let subject_fin = concat(subject_1, to_string($message.winlog_host_name)) Let subject_1 = concat(subject_0, " connecting to ") Let subject_0 = concat("PW-BAD: ", to_string($message.winlog_event_data_TargetUserName)) To_string($message.winlog_event_id) = "4625" So with a pipeline and a rule like the one below nad it’s table lookups, you can get more detail and more presentable on your alert. There is another table for logon “type” if you are interested, that link has a “cheat sheet” you can download that has key windows security events (short list) to work with. For instance, the link I gave above has a translation tables for the status/substatus code of the bad login… which you can place in a table to look up when the event happens and tell more about the bad login. ![]() you can augment the information in the message. Rather than catching that in an Extractor, if you put it through pipeline rules. I don’t think you need the "Unknown username or bad password part, event 4625 is exactly that, no more, no less.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |