Active Directory event log ID review
Here's a quick look at a scenario I recently went through- Audit logon failures with a SIEM solution. Sounds reasonably straight forward right? Well.... just like anything in life, nothing is easy.
If you research auditing logon failures everything you'll see or read points to Event ID 4625. This is due to the fact that the name of the event is "An account failed to log on". While this is very true, it only logs these events on the machine the user is attempting to log into.
This didn't really work for me because the SIEM I am working with is in the cloud and I cannot install an agent on each machine. I needed a central method to audit events within Active Directory.
After checking out a few resources online I discovered Event ID 4771. Without going too far into the weeds on the technical details of Kerberos and Active directory, below is a brief summary of the Event ID details.
At the beginning of the day when a user sits down at his or her workstation and enters his domain username and password, the workstation contacts a local DC and requests a TGT. If the username and password are correct and the user account passes status and restriction checks, the DC grants the TGT and logs event ID 4771.
I wrote a script in Azure Log Analytics to check for this Event ID every 10 minutes to create incidents where a user fails to log in more than 4 times in a 10 minute time-frame. So far my testing has been successful.