locked
Account Lockout - New Suspicious Activity Flag? RRS feed

  • Question

  • Tracking down account lockout events on a domain is often a challenging task - which domain controller locked the account? which machine initiated the lockout? is there a disconnected RDP session still sending old credentials?

    Whilst simple packet capture function in ATA will not expose this data, use of Windows Event Forwarding does.

    If the ATA Gateway is set to pull Security Event 4776 (normal domain security activities) as well as 4740 (account lockout), it would seem to be a trivial task to flag this as a suspicious event in the ATA Console,and Notify appropriately (eg Service Desk).

    This would deliver a major time saver to support staff trying to assist in a repeatedly locked out user account....

    Alternatively - is there a mechanism in ATA somewhere to enable an ATA admin to manually create a new category of suspicious activity ?

    Wednesday, June 29, 2016 2:02 AM

All replies

  • I also think that ATA could collect more events than just 4776.

    The detection algorithms are "hardcoded" into ATA and are quite sophisticated, so there is currently no way for you to extend its functionality. Thanks to this approach, it is very simple to deploy and manage ATA, at least in comparison with competing technologies.

    Saturday, July 2, 2016 8:28 AM