Hello there,
There are a couple of queries that I use to search for authentication failures on members of high-privileged groups. After testing, I noticed that the query is hit-and-miss. Specifically, if I reduce the number of groups in the search, it is more accurate. The structure of the query is as follows:
source="wineventlog:security" EventCode=4625 AND (dest_nt_domain="SC-MIDHURST") [| ldapsearch domain=Domain_Name search="(objectClass=group)"
| search cn="Domain Admins" OR cn="Administrators" OR cn="Print Operators"
| ldapgroup
| rename member_name AS Account_Name | table Account_Name | format ]
| stats count by user
Note: The number of groups is around 200 or so.
My approach has been to place all of the groups in a csv file to be used as a LUT. However, I am having trouble combining the inputlookup command and the ldapsearch command. They are both required to be the first command in a search.
Any ideas are appreciated.
↧