Video Screencast Help

Query for Account lockout

Created: 16 Oct 2013 | 6 comments

I am looking at creating a query for account lockouts and can't figure it out.  I see the built in queries for failed logins etc... but none for account lockouts. If someone can share there query filter I would appreciate it to see what I am missing. Thanks again

Operating Systems:

Comments 6 CommentsJump to latest comment

JH-Analyst's picture

The way your windows logs are being parsed into the SSIM may affect how you can do this, but the easiest surefire is to determine the formatting of your windows events and search for the specific lockout codes associated

Windows 2003:

  • 539
  • 644

Windows 2008:

  • 4625 (this code logs for all failed logins - NTLM error code c0000234 indicates lockout as reason)
  • 4740

Using those, along with knowing the format of your windows events in the SSIM, it can be one of these:

  • Vendor Signature = Security:539 or Vendor Signature = 644 (etc...)
  • Vendor Signature = Microsoft-Windows-Security-Auditing:4740
  • Windows Event ID = 539

Basically, just put all of the codes into criteria using an "OR" logic bracket and search

JH-Analyst's picture

Forgive me, I just realized you has listed "Linux" for this. I looked into this in the past and did not have a lot of success at creating a rule looking for account lockouts in Linux environments.

However, I can tell you that one way to do it is to look for the "" module to detect more than "loginretries" configured value on the actual server and what the "unlock_time" value is for temporary lockouts of accounts.

If you can generate an event by failing to login to that server, you can then search for the event in the SSIM and see how it was parsed in order to develop search criteria for similar events, identifying it's Vendor Signature, Intrusion fields, Description field, etc.

hgil's picture

Thanks JH-Analyst.  Windows was my next query so you basically killed two birds with one stone. 

mathell's picture

If only we had a product which would place events into event type buckets (through event aggregation and normalization) so that we could search accross reporting device types!! Then you could search for something like "account lockout" events and it would show them regardless of OS or device.  Oh, wait...that's what a SIEM is for.  Sorry to be so snarky, but after 10 years one would think we'd be able to expect more from these solutions. Instead, we get to manually review how each event is parsed and create a bunch of OR queries.  Ridiculous.

JH-Analyst's picture

Hency why they decided it would take too much money to try to regain the market with the SSIM and abandoned it lol. They left too many things in an "almost working state" for too long and decreased confidence among too many communities of thought. It's a shame too, because there are many things I like about it versus other solutions.

SSIM's solution for multi-technology event categorization was through the EMR columns and the Symantec Event Code. However, that field is completely unreliable for account lockouts and is almost always empty.

Oh, and if you send events through an ArcSight Logger platform, all bets are off, it gets a little wild!

mathell's picture

I concur, the SSIM has great "bones" but Symantec just didn't execute on too many fronts.  EMR values are a great example.  This is not the first SIEM I've used that suffered from this though. People look to the SIEM to keep doing more more and more (now big data seems to be an expectation), but I have yet to find one that can even do "bread and butter" event normalization well enough.  but I digress, good answers to the original question.