IBM Security QRadar

Hi All,

I'm currently working with an administrator from another team at the moment & we appear to have hit a wall in terms of finding the source of the issue at hand. This concerns accounts locking out on various computers at roughly the same time each Friday. 

When his team get alerts, the alerts state that the source of the lockouts is coming from our SIEM, which is Q Radar. However, I can see from the logs that I find in Log Activity on Q Radar which show that the source IP address of the source of the lockouts is different than the source IP that is used by our SIEM. 

From one of the machines that gets locked out, the security event log shows that several accounts with a source from our SIEM are trying to authenticate with a server. However, when I looked at the accounts that are on the SIEM, none of the accounts that are showing in the security event log are in the SIEM. 

I then decided to run Wireshark to capture the traffic at the time this was happening. In the PCAP file that when one of the accounts gets locked out, an error code is produced, which is 0xc0000234. The text that accompanies that code is: "The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested." Wireshark won't go down that far into the data to show which (if any) services are being used or if any of them are causing this to be locked out by using incorrect credentials. 

The other admin has been in contact with an engineer from Microsoft & they have asked him if there are any scheduled tasks that are run each Friday on the computers that get locked out. Since he sees that the alerts are coming from our SIEM, he & his team believe that it is our SIEM that is causing the lockouts & has asked my team if there are any scheduled tasks that are run at that time.

I've searched for online to see if it is possible to schedule tasks on Q Radar but I don't believe it can do this. I'm aware that we can schedule reports & scans to be run but I can't find anything in terms of being able to schedule a task that tries to log in to various machines at a specific time. Thus, is it possible to schedule such a task? If so, where would this feature be found on Q Radar? 

Many thanks in advance.

Regards,
Liam

------------------------------
Liam Nolan
------------------------------

Hello Liam,
did you double-check all your Windows logsources? From what I can imagine, you could have one (or more) Windows MSRP logsource with invalid credential and, when it tries to connect to the Windows server, it locks the user.

Regards,
Mario

------------------------------
Mario Sebastiani
------------------------------

Original Message:
Sent: Fri May 15, 2020 10:46 AM
From: Liam Nolan
Subject: Scheduled Tasks

Hi All,

I'm currently working with an administrator from another team at the moment & we appear to have hit a wall in terms of finding the source of the issue at hand. This concerns accounts locking out on various computers at roughly the same time each Friday. 

When his team get alerts, the alerts state that the source of the lockouts is coming from our SIEM, which is Q Radar. However, I can see from the logs that I find in Log Activity on Q Radar which show that the source IP address of the source of the lockouts is different than the source IP that is used by our SIEM. 

From one of the machines that gets locked out, the security event log shows that several accounts with a source from our SIEM are trying to authenticate with a server. However, when I looked at the accounts that are on the SIEM, none of the accounts that are showing in the security event log are in the SIEM. 

I then decided to run Wireshark to capture the traffic at the time this was happening. In the PCAP file that when one of the accounts gets locked out, an error code is produced, which is 0xc0000234. The text that accompanies that code is: "The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested." Wireshark won't go down that far into the data to show which (if any) services are being used or if any of them are causing this to be locked out by using incorrect credentials. 

The other admin has been in contact with an engineer from Microsoft & they have asked him if there are any scheduled tasks that are run each Friday on the computers that get locked out. Since he sees that the alerts are coming from our SIEM, he & his team believe that it is our SIEM that is causing the lockouts & has asked my team if there are any scheduled tasks that are run at that time.

I've searched for online to see if it is possible to schedule tasks on Q Radar but I don't believe it can do this. I'm aware that we can schedule reports & scans to be run but I can't find anything in terms of being able to schedule a task that tries to log in to various machines at a specific time. Thus, is it possible to schedule such a task? If so, where would this feature be found on Q Radar? 

Many thanks in advance.

Regards,
Liam

------------------------------
Liam Nolan
------------------------------

Hi Mario,

We managed to get the netlogon logs from one of the machines in question. There was one line that stood out which was 

05/08 14:26:17 [LOGON] [9956] XXXX: SamLogon: Transitive Network logon of 10.2.1.141\administrator from SIEM01 (via XXXXXXXXXX) Returns 0xC0000064 

From what I've found online the code C0000064 indicates that user does not exist. Would it be possible then for our SIEM to try to logon to one of these machines with an account that does not exist anymore or is it the case that our SIEM is merely alerting us to the fact that a logon has failed? 

------------------------------
Liam Nolan
------------------------------

Original Message:
Sent: Mon May 18, 2020 09:39 AM
From: Mario Sebastiani
Subject: Scheduled Tasks

Hello Liam,
did you double-check all your Windows logsources? From what I can imagine, you could have one (or more) Windows MSRP logsource with invalid credential and, when it tries to connect to the Windows server, it locks the user.

Regards,
Mario

------------------------------
Mario Sebastiani

Original Message:
Sent: Fri May 15, 2020 10:46 AM
From: Liam Nolan
Subject: Scheduled Tasks

Hi All,

I'm currently working with an administrator from another team at the moment & we appear to have hit a wall in terms of finding the source of the issue at hand. This concerns accounts locking out on various computers at roughly the same time each Friday. 

When his team get alerts, the alerts state that the source of the lockouts is coming from our SIEM, which is Q Radar. However, I can see from the logs that I find in Log Activity on Q Radar which show that the source IP address of the source of the lockouts is different than the source IP that is used by our SIEM. 

From one of the machines that gets locked out, the security event log shows that several accounts with a source from our SIEM are trying to authenticate with a server. However, when I looked at the accounts that are on the SIEM, none of the accounts that are showing in the security event log are in the SIEM. 

I then decided to run Wireshark to capture the traffic at the time this was happening. In the PCAP file that when one of the accounts gets locked out, an error code is produced, which is 0xc0000234. The text that accompanies that code is: "The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested." Wireshark won't go down that far into the data to show which (if any) services are being used or if any of them are causing this to be locked out by using incorrect credentials. 

The other admin has been in contact with an engineer from Microsoft & they have asked him if there are any scheduled tasks that are run each Friday on the computers that get locked out. Since he sees that the alerts are coming from our SIEM, he & his team believe that it is our SIEM that is causing the lockouts & has asked my team if there are any scheduled tasks that are run at that time.

I've searched for online to see if it is possible to schedule tasks on Q Radar but I don't believe it can do this. I'm aware that we can schedule reports & scans to be run but I can't find anything in terms of being able to schedule a task that tries to log in to various machines at a specific time. Thus, is it possible to schedule such a task? If so, where would this feature be found on Q Radar? 

Many thanks in advance.

Regards,
Liam

------------------------------
Liam Nolan
------------------------------

Hello Liam,
is SIEM01 the hostname of your QRadar Server? In case, it means that something from your QRadar server is trying to connect to that host with wrong credentials. In standard configuration, the only component that can try this operation is the logsource: so I'd suggest to verify the logsource towards the host you grabbed the netlogon logs and verify if username/password are correct.

Regards,
Mario

------------------------------
Mario Sebastiani
------------------------------

Original Message:
Sent: Mon May 18, 2020 11:57 AM
From: Liam Nolan
Subject: Scheduled Tasks

Hi Mario,

We managed to get the netlogon logs from one of the machines in question. There was one line that stood out which was 

05/08 14:26:17 [LOGON] [9956] XXXX: SamLogon: Transitive Network logon of 10.2.1.141\administrator from SIEM01 (via XXXXXXXXXX) Returns 0xC0000064 

From what I've found online the code C0000064 indicates that user does not exist. Would it be possible then for our SIEM to try to logon to one of these machines with an account that does not exist anymore or is it the case that our SIEM is merely alerting us to the fact that a logon has failed? 

------------------------------
Liam Nolan

Original Message:
Sent: Mon May 18, 2020 09:39 AM
From: Mario Sebastiani
Subject: Scheduled Tasks

Hello Liam,
did you double-check all your Windows logsources? From what I can imagine, you could have one (or more) Windows MSRP logsource with invalid credential and, when it tries to connect to the Windows server, it locks the user.

Regards,
Mario

------------------------------
Mario Sebastiani

Original Message:
Sent: Fri May 15, 2020 10:46 AM
From: Liam Nolan
Subject: Scheduled Tasks

Hi All,

I'm currently working with an administrator from another team at the moment & we appear to have hit a wall in terms of finding the source of the issue at hand. This concerns accounts locking out on various computers at roughly the same time each Friday. 

When his team get alerts, the alerts state that the source of the lockouts is coming from our SIEM, which is Q Radar. However, I can see from the logs that I find in Log Activity on Q Radar which show that the source IP address of the source of the lockouts is different than the source IP that is used by our SIEM. 

From one of the machines that gets locked out, the security event log shows that several accounts with a source from our SIEM are trying to authenticate with a server. However, when I looked at the accounts that are on the SIEM, none of the accounts that are showing in the security event log are in the SIEM. 

I then decided to run Wireshark to capture the traffic at the time this was happening. In the PCAP file that when one of the accounts gets locked out, an error code is produced, which is 0xc0000234. The text that accompanies that code is: "The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested." Wireshark won't go down that far into the data to show which (if any) services are being used or if any of them are causing this to be locked out by using incorrect credentials. 

The other admin has been in contact with an engineer from Microsoft & they have asked him if there are any scheduled tasks that are run each Friday on the computers that get locked out. Since he sees that the alerts are coming from our SIEM, he & his team believe that it is our SIEM that is causing the lockouts & has asked my team if there are any scheduled tasks that are run at that time.

I've searched for online to see if it is possible to schedule tasks on Q Radar but I don't believe it can do this. I'm aware that we can schedule reports & scans to be run but I can't find anything in terms of being able to schedule a task that tries to log in to various machines at a specific time. Thus, is it possible to schedule such a task? If so, where would this feature be found on Q Radar? 

Many thanks in advance.

Regards,
Liam

------------------------------
Liam Nolan
------------------------------

Do you have the QVM feature within QRadar?

This allows for vulnerability scans to be performed, one of its features is performing a credentialed scan on a routine schedule. Credentials can be placed in a reoccurring schedule of in a central area shown here
https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/t_qvm_config_central_credentials.html

Another investigation path is to look at your log sources (via log source management app) for the source IP and see if you have any credentials (such as CIFS log sources) entered.

------------------------------
JH
------------------------------

Original Message:
Sent: Fri May 15, 2020 10:46 AM
From: Liam Nolan
Subject: Scheduled Tasks

Hi All,

I'm currently working with an administrator from another team at the moment & we appear to have hit a wall in terms of finding the source of the issue at hand. This concerns accounts locking out on various computers at roughly the same time each Friday. 

When his team get alerts, the alerts state that the source of the lockouts is coming from our SIEM, which is Q Radar. However, I can see from the logs that I find in Log Activity on Q Radar which show that the source IP address of the source of the lockouts is different than the source IP that is used by our SIEM. 

From one of the machines that gets locked out, the security event log shows that several accounts with a source from our SIEM are trying to authenticate with a server. However, when I looked at the accounts that are on the SIEM, none of the accounts that are showing in the security event log are in the SIEM. 

I then decided to run Wireshark to capture the traffic at the time this was happening. In the PCAP file that when one of the accounts gets locked out, an error code is produced, which is 0xc0000234. The text that accompanies that code is: "The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested." Wireshark won't go down that far into the data to show which (if any) services are being used or if any of them are causing this to be locked out by using incorrect credentials. 

The other admin has been in contact with an engineer from Microsoft & they have asked him if there are any scheduled tasks that are run each Friday on the computers that get locked out. Since he sees that the alerts are coming from our SIEM, he & his team believe that it is our SIEM that is causing the lockouts & has asked my team if there are any scheduled tasks that are run at that time.

I've searched for online to see if it is possible to schedule tasks on Q Radar but I don't believe it can do this. I'm aware that we can schedule reports & scans to be run but I can't find anything in terms of being able to schedule a task that tries to log in to various machines at a specific time. Thus, is it possible to schedule such a task? If so, where would this feature be found on Q Radar? 

Many thanks in advance.

Regards,
Liam

------------------------------
Liam Nolan
------------------------------