Solved

LP Alert rule correct ? (LP_Windows Failed Login Attempt using an Expired Account")

  • 25 January 2022
  • 4 replies
  • 309 views

Userlevel 1
Badge

Hello,

 

i am currently taking a look at the alert rules shipped with LogPoint trying to figure out which of these are applicable to our environment, and sometimes find something i think (keep in mind, i am neither an expert reagrding LogPoint nor InfoSec) is not correct. I do not know whether LogPoint has any bug tracker i can post\ask for clarification.

 

E.g.

Alert rule  - LP_Windows Failed Login Attempt using an Expired Account (LP 6.12.2)

“This alert is triggered whenever user attempts to login using expired account.”

The search query is

norm_id=WinServer* label=User label=Login label=Fail sub_status_code="0xC0000071" -target_user=*$ -user=*$ -user IN EXCLUDED_USERS | rename user as target_user, domain as target_domain, reason as failure_reason

 

Asa far as i understand the Windows documentation (4625(F) An account failed to log on. (Windows 10) - Windows security | Microsoft Docs), the substatus 0xC000071 means the login was attempted with an expired password, not with an expired account, which would be 0xC0000193.

 

So shouldn’t the search query use the substatus 0xC000193, or am i missing something ? (I do not see the big impact a login attempt with an expired password has, while i would like to be alerted when an expired account tries to login). 

 

 

Another question:

I would like to know what “label=User label=Login label=Fail” (or any other shipped label) actually decodes to. However, i can not find the search package for  the Windows labels to take a look how these search labels are “decoded”.

icon

Best answer by Andre Kurtz 26 January 2022, 10:59

View original

4 replies

Userlevel 4
Badge +7

Hi,

There is no public bug tracker, but our Support team usually take these on board and raise an engineering ticket for anything like this, and ultimately this then flows into the next version of the Alert rules package. We’ve done quite a few updates to that recently, but there is always room for improvement. The alternatively is the ideas portal (top right corner), but that’s more for new product ideas, rather than just “fixing” things to work properly.

As for the labels that are applied, at least in the case of Windows they are based on specific event IDs. Because they are compiled normalisers, there is no way of seeing them in the product.

I’ve dug the ones that are applied to the Security Event Log out of the code, and pasted them below. If there are any mistakes there feel free to let us know.

1108,"Application,Notice,Filter,Policy,Change"
1502,"Policy,Notice"
1704,"Group,Policy"
4608,"System,Up"
4610,"Package,Application,Up"
4611,"Application,Process,Up"
4614,"Package,Application,Up"
4615,"Invalid,System,Warning"
4616,"System,Time,Change"
4624,"User,Login,Successful"
4625,"Fail,Login,User"
4634,"User,Logoff"
4647,"User,Logoff"
4648,"Login,Attempt,Explicit,Credential"
4649,"Attack,Detect"
4653,"Negotiation,Fail"
4656,"Object,Access"
4657,"System,Configuration,Change"
4658,"Object,Close"
4659,"Object,Access,Attempt"
4660,"Object,Delete"
4661,"Object,Access"
4662,"Object,Access"
4663,"Object,Access,Attempt"
4664,"Link,System,Notice"
4670,"Object,Permission,Change"
4672,"Privilege,Assign"
4673,"Privilege,Service,Call"
4674,"Operation,Object,Access"
4675,"Application,Warning"
4688,"Application,Up,Process,Create"
4689,"Process,Exit,Application,Down"
469,"Protection,Application,Up"
4690,"Duplicate,Object,Handle"
4692,"Backup,Application,Up"
4695,"Unprotection,Suspicious,Application"
4697,"Application,Service"
4698,"Application,Service,Schedule,Task,Create"
4699,"Application,Service,Schedule,Task,Delete"
4700,"Application,Up,Schedule,Task,Enable"
4701,"Application,Down,Schedule,Task,Disable"
4702,"Application,Service,Schedule,Task,Update"
4703,"Token,Right"
4704,"Authorization,Policy,Change,Assign,User,Right"
4705,"Authorization,Policy,Change,Remove,User,Right"
4706,"Authorization,Policy,Change,New,Trust,Application,Service,Create"
4707,"Authorization,Policy,Change,Trust,Application,Service,Remove"
4713,"Kerberos,Authentication,Policy,Change"
4714,"Authorization,Encrypt,Data,Recovery,Policy,Change"
4715,"Object,Audit,Policy,Change"
4716,"Authentication,Policy,Trust,Domain,Information,Change"
4717,"Authentication,Policy,Change,Allow,System,Security,Access"
4718,"Authentication,Policy,Change,Remove,System,Security,Access"
4719,"System,Audit,Policy,Change"
4720,"User,Account,Create,Management"
4722,"User,Account,Enable,Management"
4723,"User,Account,Management,Password,Change"
4724,"User,Password,Reset,Account,Management"
4725,"User,Account,Disable,Management"
4726,"User,Account,Management,Delete"
4727,"Global,Security,Group,Management,Create"
4728,"Global,Security,Group,Management,Member,Add,User"
4729,"Global,Security,Group,Management,Member,Remove,User"
4730,"Global,Security,Group,Management,Remove"
4731,"Local,Security,Group,Management,Create"
4732,"Local,Security,Group,Management,Member,Add,User"
4733,"Local,Security,Group,Management,Member,Remove,User"
4734,"Local,Security,Group,Management,Remove"
4735,"Local,Security,Group,Management,Change"
4737,"Global,Security,Group,Management,Change"
4738,"User,Account,Change,Management"
4739,"Other,Account,Management,Domain,Policy,Change"
4740,"User,Account,Lock,Management"
4741,"Computer,Account,Create,Management"
4742,"Computer,Account,Change,Management"
4743,"Computer,Account,Remove,Management"
4744,"Local,Distribution,Group,Management,Create"
4745,"Local,Distribution,Group,Management,Change"
4746,"Local,Distribution,Group,Management,Member,Add,User"
4747,"Local,Distribution,Group,Management,Member,Remove,User"
4748,"Local,Distribution,Group,Management,Remove"
4749,"Global,Distribution,Group,Management,Create"
4750,"Global,Distribution,Group,Management,Change"
4751,"Global,Distribution,Group,Management,Member,Add,User"
4752,"Global,Distribution,Group,Management,Member,Remove,User"
4753,"Global,Distribution,Group,Management,Remove"
4754,"Universal,Security,Group,Management,Create"
4755,"Universal,Security,Group,Management,Change"
4756,"Universal,Security,Group,Management,Member,Add,User"
4757,"Universal,Security,Group,Management,Member,Remove,User"
4758,"Universal,Security,Group,Management,Remove"
4759,"Universal,Distribution,Group,Management,Create"
4760,"Universal,Distribution,Group,Management,Change"
4761,"Universal,Distribution,Group,Management,Member,Add,User"
4762,"Universal,Distribution,Group,Management,Member,Remove,User"
4763,"Universal,Distribution,Group,Management,Remove"
4764,"Security,Group,Management,Type,Change"
4767,"User,Account,Unlock,Management"
4768,"Kerberos,Authentication,Request"
4769,Kerberos
4770,"Kerberos,Service,Renew"
4771,"Kerberos,Authentication,Fail,User"
4774,"Account,Map"
4776,"Credentials,System,Notice"
4778,"Session,Reconnect"
4779,"Session,Disconnect"
4780,"User,Account,Management"
4781,"User,Account,Management,Name,Change"
4783,"Application,Group,Management,Create"
4784,"Application,Group,Management,Change"
4785,"Application,Member,Add,Group,Management"
4786,"Application,Group,Management,Member,Remove"
4787,"Application,Non-member,Add,Group,Management"
4788,"Application,Group,Management,Non-member,Remove"
4789,"Application,Group,Remove,Management"
4790,"Application,Group,Management,LDAP,Query,Create"
4791,"Application,Group,Management,Change"
4792,"Application,Group,Management,LDAP,Query,Remove"
4793,"Other,Account,Management,Password,Policy,API,Call"
4794,"Attempt,Restore,Password,User,Account,Management"
4798,"Local,Group"
4800,"Application,Notice"
4816,"Violation,Detect,Application,Error"
4817,"Policy,Notice,Audit,Change"
4864,"Application,Notice,Authentication,Policy,Change"
4865,"Authentication,Policy,Change,Add,Forest,Information"
4866,"Authentication,Policy,Change,Remove,Forest,Information"
4867,"Authentication,Policy,Change,Forest,Information"
4868,"Deny,Request,Certificate,Application,Service"
4869,"Certificate,Application,Service,Resubmit,Request"
4870,"Certificate,Application,Service,Revoke"
4871,"Certificate,Application,Service,Receive,Request"
4872,"Certificate,Application,Service,Publish,List"
4873,"Certificate,Application,Service,Request,Change"
4875,"Certificate,Application,Service,Request,Shutdown"
4876,"Certificate,Application,Service,Backup,Start"
4877,"Certificate,Application,Service,Backup,Complete"
4878,"Certificate,Application,Service,Restore,Start"
4879,"Certificate,Application,Service,Restart,Complete"
4880,"Certificate,Application,Service,Start"
4881,"Certificate,Application,Service,Stop"
4882,"Application,Configuration,Change"
4883,"Certificate,Application,Service,Key,Retrieve"
4884,"Certificate,Application,Service,Import"
4885,"Application,Configuration,Change"
4886,"Certificate,Application,Service,Receive,Request"
4887,"Certificate,Application,Service,Approve,Request"
4888,"Certificate,Application,Service,Deny,Request"
4890,"Setting,Change,Certificate,Application,Service"
4891,"Application,Configuration,Change"
4892,"Application,Configuration,Change"
4893,"Certificate,Application,Service,Archive,Key"
4894,"Certificate,Application,Service,Archive,Import,Key"
4895,"Certificate,Application,Service,Publish"
4896,"Application,Configuration,Change"
4897,"Application,Configuration,Change"
4898,"Certificate,Application,Service,Load,Template"
4899,"Certificate,Application,Service,Template,Update"
4902,"Audit,Policy,Table,Create,Change"
4904,"Attempt,System,Notice"
4905,"Attempt,System,Notice"
4906,"Audit,Policy,Value,Change"
4907,"Audit,Policy,Setting,Change"
4908,"Policy,Notice,Audit,Change"
4912,"Audit,Policy,Change"
4928,"Application,Service,Establish"
4929,"Application,Service,Remove"
4930,"Application,Configuration,Change"
4931,"Application,Service"
4932,"Application,Service"
4933,"Application,Service"
4935,"Application,Service,Start"
4936,"Application,Service,End"
4937,"Object,Delete"
4944,"Application,Network,Notice,MPSSVC,Policy,Change"
4945,"Application,Network,Notice,MPSSVC,Policy,Change"
4946,"Application,Configuration,Change,MPSSVC,Policy,Change"
4947,"Application,Configuration,Change,MPSSVC,Policy,Change"
4948,"Application,Configuration,Change,MPSSVC,Policy,Change"
4949,"Application,Configuration,Change,MPSSVC,Policy"
4950,"Application,Configuration,Change,MPSSVC,Policy"
4951,"Network,Application,Warning,MPSSVC,Policy,Change"
4952,"Network,Application,Warning,MPSSVC,Policy,Change"
4953,"Network,Application,Warning,MPSSVC,Policy,Change"
4954,"Firewall,Policy,Notice"
4956,"Application,Notice"
4957,"Network,Application,Error,MPSSVC,Policy,Change"
4958,"Network,Application,Error,MPSSVC,Policy,Change"
4985,"Transaction,Change"
5024,"Network,Application,Up"
5025,"Firewall,Service,Stop"
5027,"Network,Application,Error"
5031,"Firewall,Block,Suspicious,Network"
5032,"Network,Application,Error"
5033,"Firewall,Driver,Start"
5034,"Firewall,Driver,Stop"
5035,"Firewall,Driver,Fail"
5037,"Firewall,Drive,Critical,Error"
5038,"Application,Error,File,Image,Hash,Invalid"
5056,"Application,Up"
5058,"File,Application,Service"
5059,"Migration,Application,Service"
5061,"Application,Up"
5136,"Directory,Service,Object,Change"
5137,"Directory,Service,Object,Create"
5138,"Directory,Service,Object,Undelete"
5139,"Directory,Service,Access,Object,Move"
5140,"Network,Object,Access"
5141,"Directory,Service,Object,Delete"
5142,"Network,Object,Access"
5143,"Network,Object,Access"
5144,"Network,Object,Access"
5145,"Network,Object,Access"
515,"Block,Suspicious,Network"
5152,"Block,Suspicious,Network"
5153,"Block,Suspicious,Network"
5154,"Allow,Connection"
5156,"Allow,Connection"
5157,"Deny,Connection"
5158,"Bind,Allow"
5159,"Block,Suspicious,Network"
530,"Login,Fail"
5376,"Credentials,Backup,User,Account,Management"
5377,"Credentials,Backup,Restore,User,Account,Management"
544,"System,Configuration,Change"
5440,"System,Notice,Filter,Policy,Change"
5441,"System,Notice,Filter,Policy,Change"
5442,"System,Notice,Filter,Policy,Change"
5443,"System,Notice,Filter,Policy,Change"
5444,"System,Notice,Filter,Policy,Change"
5446,"System,Configuration,Change"
5447,"System,Configuration,Change"
5448,"System,Configuration,Change,Filter,Policy,Change"
5449,"System,Configuration,Change,Filter,Policy,Change"
5450,"System,Notice,Filter,Policy,Change"
5478,"Service,Start,Successful,Application,Up"
5479,"Service,Shutdown,Successful,Application,Down"
5480,"Service,Fail,Security,Risk,Application,Error"
5483,"Service,Fail,Initialize,Server"
5484,"Server,Down"
5485,"Service,Fail,Process,Filter"
5712,"Application,Up"
592,"Application,Up"
6005,"Event,Log,Start"
6006,"Clean,Shutdown"
6008,"Bad,Shutdown"
6009,"System,Boot"
6144,"Security,Policy,Apply"
6145,"Policy,Warning,Other,Change"
6272,"Network,Connection,Allow"
6273,"Access,Deny,Suspicious,Network"
6274,"Discard,User,Request"
6276,"Quarantine,User"
6277,"Allow,User,Access"
6278,"Connection,Allow"
6279,"Lock,User,Account"
6280,"Unlock,User,Account"
6410,"Package,Application,Up"
6416,"External,Device,USB"
6422,"Package,Application,Up"
Userlevel 1
Badge

Hi,

 

once again, thank your for the quick response and for posting the label to event id mappings LP uses. They will definitely help me to better understand the shipped LP alert rules.

 

Regarding a bug tracker i will open a suggestion within the ideas portal and wait whether the community supports the idea. When working with the LP i often come across some little things (some logs not being normalized, some minor bugs etc.), so personally i would like a central place to post these findings and\or to check whether LP is already aware of and working on these issues.

 

Andre

Userlevel 4
Badge +7

For now, the Community will probably have to do for these, but if you feel a public bug tracker would be useful, then please indeed log the idea in the ideas portal, ideally with some examples or suggestions on how it would look and work in practice.

Userlevel 1
Badge

Will put my suggestions in the idea portal when i find the time.

 

Still think LP should take a look at alert rule “LP_Windows Failed Login Attempt using an Expired Account” and the sub_status_code.

Just wanted to LP to take a second look at the rule, therefore i will mark this question as resolved.

 

Thanks Nils

Reply