(Pro-active) Alert of account lockouts

katos

We use a similar script to the below to alert of account lockouts so that the helpdesk can provide pro-active support for users, this drastically increased our user satisfaction in our latest IT Forums, and allows us to catch issues before they become worse (emails failing to send, case management system lockouts, etc.)

# Email into the helpdesk to alert pro-actively of any account lockouts

Start-Transcript -path "c:\lockoutlog.txt" -append

$AccountLockOutEvent = Get-EventLog -LogName "Security" -InstanceID 4740 -Newest 1
$LockedAccount = $($AccountLockOutEvent.ReplacementStrings[0])
$AccountLockOutEventTime = $AccountLockOutEvent.TimeGenerated.ToLongDateString() + " " + $AccountLockOutEvent.TimeGenerated.ToLongTimeString()
$AccountLockOutEventMessage = $AccountLockOutEvent.Message

if ( $LockedAccount -ne "Guest" )
{ send-mailmessage $email
}
Stop-Transcript

tankerkiller125

I’m guessing you have this running as a scheduled task?

katos

tankerkiller125 whilst we don’t use this exact script, yes ours run as a scheduled task.

phenomlab

We use Alien Vault to capture this stuff (we’re a regulated firm, so have to keep logs etc for minimum one year) and this fires an email as soon as an account is locked out. We’re also SOC and SOX regulated…….you can just smell the fun.

tankerkiller125

phenomlab We just got SOC2 Type 1 done a couple weeks ago, now I have to make sure I’m actually implementing it all. My biggest concern is actually logging the failed logins and stuff, currently we use a custom built app but I’m hoping to convince management to use a real SIEM solution or at the minimum the Elastic SIEM solution.

phenomlab

tankerkiller125 Be careful with ElasticSearch. The spec requirements are outrageous, and it only works properly if setup in a cluster. Most on-prem installs of this type typically fail at the first hurdle owing to cost, backup, and availability. In my role as Head of IT and CISO, this is one of the many things I need to worry about. It’s why I chose Alien Vault.

Not cheap, but worth every penny / dime (dependant on location 🙂).

There are numerous ways to sell any SIEM product - mostly it’s around accountability, traceability, forensics, and so on. Imagine having to tell senior management you can’t tell whom entered your network without authorisation 6 months ago as you have no log retention…. 🤮

tankerkiller125

phenomlab Honestly my bigger concern at this point is the fact that the former IT director started the SOC2 stuff but I had to finish it. So there are some things that I’m still questioning if they are correct/valid. Our inspectors (can’t think of the right name ATM) have been very helpful but they don’t have a lot of time to actually go through every detail with me so there’s quite a bit of stress there.

tankerkiller125

phenomlab Be careful with ElasticSearch. The spec requirements are outrageous, and it only works properly if setup in a cluster. Most on-prem installs of this type typically fail at the first hurdle owing to cost, backup, and availability.

And this is why we would be paying Elastic to host it for us if we go through with it. My time is more valuable than trying to keep things like this working all the time.

phenomlab

tankerkiller125 I understand that totally. Having set mine up from scratch, I know how much stress that can be. I’m more than happy to help 🙂

phenomlab

tankerkiller125 100% agree with this.