In a Windows domain, I need to find out who attempted to log on as user

Easiest way is to find entries where user "Administrator" was used;
Capture the source IP -- SourceIP from event with Vendor code 4625
(failed login)
use the source IP from the above search to see who authenticated to the
workstation -- SourceIP for Vendor code 4624 (successful login)

This will give me which uses authenticated to domain and was issued an
IP address. This IP address now attempted to logon as Administrator.

Is there a scripted way of doing it? I can try similar things with
"Show Attributes" in a Correlated rule but I don't want a correlated
rule to look at every event. I just want an "EXTRA" event to be linked
to the correlated rule or just do a simple search.

Is this possible?


pimpalp's Profile: https://forums.netiq.com/member.php?userid=5587
View this thread: https://forums.netiq.com/showthread.php?t=51379