I am looking for a way to capture events where a user did not check out credentials from CyberArk before using them to RDP, so a scenario would be that someone checked out some credentials for 12 hours, he used it, then uses it again after 12 hours without doing another checkout.
I have a search where I am using a transaction command to capture CyberArk checkout events and Windows login events and looking for incomplete transactions with closed_txn=0. I have a query built but it does not seem to be capturing the right events because the result that shows up which has the two logs combined (Cyberark checkout and windows login) don’t have the correct information, the account name that was checked out does not match the account name used to login via RDP.
(index=wineventlog AND sourcetype="WinEventLog:Security" AND (Logon_Type=3 OR Logon_Type=10 OR Logon_Type=11) AND [inputlookup xxx.csv | fields + Account_Name ])
OR (index=main AND sourcetype="cyberark:epv:cef" AND "Retrieve password" AND (cn2="(Action: Show Password)" OR cn2="(Action: Copy Password)"))
| eval "Logon Behaviour"=case(Logon_Type==3,"Interactive",Logon_Type==10,"Remote Interactive",Logon_Type==11,"Cached Interactive")
| eval "Windows Account"=mvindex(Account_Name,1)
| transaction startswith="Retrieve password" endswith="Logon Type" keepevicted=1 keeporphans=1
| search closed_txn=0
| bucket _time span=12h
| stats count by _time "Windows Account" action Workstation_Name "Logon Behaviour"
| rename action as "Logon Result" Workstation_Name as "Workstation"
Below are a sample checkout event and a sample RDP event. I would appreciate any help in figuring this out or a better way to accomplish something like this.
**Check Out Event**
Aug 16 06:50:53 XXXXXX ABC: 0|Cyber-Ark|Vault|9.80.0000|295|Retrieve password|5|act=Retrieve password suser=user1 fname=fname1 dvc=dvc1 shost=192..x.x.x dhost=dhost1 **duser=duser1** externalId= app= reason= cs1Label="Affected User Name" cs1= cs2Label="Safe Name" cs2=EA_VSA cs3Label="Device Type" cs3=Operating System cs4Label="Database" cs4= cs5Label="Other info" cs5=192.168.122.30 cn1Label="Request Id" cn1= cn2Label="Ticket Id" cn2=(Action: Copy Password)Troubeshooting msg=(Action: Copy Password)Troubeshooting
**RDP event**
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4625
EventType=0
Type=Information
ComputerName=computername1
TaskCategory=Logon
OpCode=Info
RecordNumber=12345678
Keywords=Audit Failure
Message=An account failed to log on.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: AccountName1
Account Domain: domain1
Logon ID: 0x3E7
Logon Type: 2
Account For Which Logon Failed:
Security ID: NULL SID
**Account Name: duser1**
Account Domain: domain1
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC000006A
Process Information:
Caller Process ID: 0x5f4
Caller Process Name: C:\Program Files\process
Network Information:
Workstation Name: workstation1
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
↧