Query for the specific requirement
In need of below requirement for my arcsight logger:
Need a query which can look and generate the list of account lockouts, Also a query which can provide logon failures for the accounts. [Accounts would be AD login]
I require to convert this query into Dashboard for daily monitoring.
Also, i would like to know whether we can trigger an alert when there are more than 10 log on failures in a 5 mins, or more than 3 account lockouts in half hour from the SAME ACCOUNT(this should be customized as per our requirement).
Use below query for capturing Account Lockout details
SELECT events.arc_destinationUserName "User Name",
events.arc_name "Event Name",
events.arc_sourceHostName "Source Host Name"
WHERE events.arc_name LIKE '%locked out%'
If you can identify values in these events, such as the deviceEventClassId, and use that in the "where" clause, the report will likely run faster than using ....name LIKE '%locked out%'