Anonymous_User Absent Member.
Absent Member.
163 views

The 1+ Scenario


I've read through the documentation around window and gate, but neither
appear to specifically do what I need....and the documentation around
unique versus distinct is lacking.

Scenario:

Microsoft, in all its wisdom, decide that Account Lockout events will
register on the Domain Controller in question and the FSMO roll DC. As a
result, the collector can receive 1 or more (not always 1 or 2, can
sometimes be 3 or 4) events, making it difficult to trigger a
correlation for 1 unique event.

However, the other issue is that the details in the Event Log can differ
between the registering DC(s) and the FSMO.

What I want to do, is correlate where 1+ events for a single dun within,
say, 30 seconds, then trigger the correlation with all event(s) details
being given to the correlation (to make sure all necessary details are
emailed correctly without spaming the mailbox)....but I also want to do
this without missing multiple account lockouts for the same user
(contradictory enough??).

At the moment the correlation is:

filter((e.XDASClass = 0) AND (e.XDASIdentifier = 2) AND (e.XDASOutcome =
0) AND (e.VendorEventCode = "4740"))flow
trigger(1,59,discriminator(e.TargetUserName))


--
-"Also now available in 'G+'
(https://plus.google.com/u/0/112362149544381813153) and 'Website'
(https://secure.isam.kiwi/) format".- 😉
------------------------------------------------------------------------
ScorpionSting's Profile: https://forums.netiq.com/member.php?userid=469
View this thread: https://forums.netiq.com/showthread.php?t=52117

0 Likes
2 Replies
Anonymous_User Absent Member.
Absent Member.

Re: The 1+ Scenario


I use filter(e.EventName = "A user account was locked out.") for
monitoring account lockouts.

The email contain the following:

EVENT DETAILS (1 OF 2)
*Long Name Tag Name*
CollectorNodeName port
EventName evt
EventTime dt
InitiatorUserDomain rv35
InitiatorUserName sun
Severity sev
SourceHostName shn
TargetHostDomain rv41
TargetHostName dhn
TargetUserName dun
XDASOutcomeName xdasoutcomename
XDASTaxonomyName xdastaxname


EVENT DETAILS (2 OF 2)
*Long Name Tag Name*
CollectorNodeName port
EventName evt
EventTime dt
InitiatorUserDomain rv35
InitiatorUserName sun
Message msg
Severity sev
SourceHostName shn
TargetHostDomain rv41
TargetHostName dhn
TargetUserName dun
XDASOutcomeName xdasoutcomename
XDASTaxonomyName xdastaxname


--
woodspeed
------------------------------------------------------------------------
woodspeed's Profile: https://forums.netiq.com/member.php?userid=7232
View this thread: https://forums.netiq.com/showthread.php?t=52117

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: The 1+ Scenario


Thanks, but the correlation I have works....

The issue I have is only having the 1 correlation trigger for the 1 or 2
or 3 or 4 events received from the Domain Controllers....


--
-"Also now available in 'G+'
(https://plus.google.com/u/0/112362149544381813153) and 'Website'
(https://secure.isam.kiwi/) format".- 😉
------------------------------------------------------------------------
ScorpionSting's Profile: https://forums.netiq.com/member.php?userid=469
View this thread: https://forums.netiq.com/showthread.php?t=52117

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.