Hi All,
I'm currently working with an administrator from another team at the moment & we appear to have hit a wall in terms of finding the source of the issue at hand. This concerns accounts locking out on various computers at roughly the same time each Friday.
When his team get alerts, the alerts state that the source of the lockouts is coming from our SIEM, which is Q Radar. However, I can see from the logs that I find in Log Activity on Q Radar which show that the source IP address of the source of the lockouts is different than the source IP that is used by our SIEM.
From one of the machines that gets locked out, the security event log shows that several accounts with a source from our SIEM are trying to authenticate with a server. However, when I looked at the accounts that are on the SIEM, none of the accounts that are showing in the security event log are in the SIEM.
I then decided to run Wireshark to capture the traffic at the time this was happening. In the PCAP file that when one of the accounts gets locked out, an error code is produced, which is 0xc0000234. The text that accompanies that code is: "The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested." Wireshark won't go down that far into the data to show which (if any) services are being used or if any of them are causing this to be locked out by using incorrect credentials.
The other admin has been in contact with an engineer from Microsoft & they have asked him if there are any scheduled tasks that are run each Friday on the computers that get locked out. Since he sees that the alerts are coming from our SIEM, he & his team believe that it is our SIEM that is causing the lockouts & has asked my team if there are any scheduled tasks that are run at that time.
I've searched for online to see if it is possible to schedule tasks on Q Radar but I don't believe it can do this. I'm aware that we can schedule reports & scans to be run but I can't find anything in terms of being able to schedule a task that tries to log in to various machines at a specific time. Thus, is it possible to schedule such a task? If so, where would this feature be found on Q Radar?
Many thanks in advance.
Regards,
Liam
------------------------------
Liam Nolan
------------------------------