Merge pull request #569 from CrossRealms/add-alert-for-the-login-fail…

…ure-due-to-password-expired

Added alert for the login failure due to password expire

cyences_app_for_splunk/default/data/models/Cyences_Authentication.json

@@ -737,7 +737,7 @@
                     "editable": true,
                     "comment": "",
                     "calculationType": "Eval",
-                    "expression": "coalesce(error_code,Error_Code, \"unknown\")"
+                    "expression": "if((EventCode=4768 OR EventCode=4771), Result_Code, coalesce(error_code,Error_Code, \"unknown\"))"
                 }
             ],
             "constraints": [

cyences_app_for_splunk/default/macros.conf

@@ -745,6 +745,9 @@ definition = 10
 [cs_ad_bulk_user_creation_deletion_filter]
 definition = search *
 
+[cs_ad_login_failure_due_to_password_expire_filter]
+definition = search *
+
 [cs_windows_host_missing_update_filter]
 definition = search *
 iseval = 0
@@ -1292,14 +1295,14 @@ definition = Authentication.app=*
 iseval = 0
 
 [cs_bruteforce_from_user_additional_filter]
-definition = (Authentication.error_code!="0xC0000071")
-# error_code="0xC0000071" Windows Password Expired events
+definition = (Authentication.error_code!="0xC0000071") (Authentication.error_code!="0x17")
+# error_code="0xC0000071" or "0x17" Windows Password Expired events
 # Apply filter on Authentication.* field (tstats where condition filter format, you can use !=, =, OR and AND condition)
 iseval = 0
 
 [cs_bruteforce_from_source_additional_filter]
-definition = (Authentication.error_code!="0xC0000071")
-# error_code="0xC0000071" Windows Password Expired events
+definition = (Authentication.error_code!="0xC0000071") (Authentication.error_code!="0x17")
+# error_code="0xC0000071" or "0x17" Windows Password Expired events
 # Apply filter on Authentication.* field (tstats where condition filter format, you can use !=, =, OR and AND condition)
 iseval = 0
 

cyences_app_for_splunk/default/savedsearches.conf

@@ -4642,6 +4642,40 @@ action.cyences_send_email_action = 1
 action.cyences_notable_event_action.products = Windows, Windows AD
 
 
+[AD - Login Failure due to Password Expired]
+disabled = 1
+enableSched = 1
+alert.track = 1
+alert.severity = 4
+alert.suppress = 0
+counttype = number of events
+quantity = 0
+relation = greater than
+cron_schedule = 55 * * * *
+description = This alert will be triggered if login failure due to password expiration. \
+\
+Data Collection - Splunk_TA_windows - WinEventLog://Security stanza
+dispatch.earliest_time = -62m@m
+dispatch.latest_time = -2m@m
+display.general.type = statistics
+display.page.search.tab = statistics
+display.page.search.mode = fast
+request.ui_dispatch_app = cyences_app_for_splunk
+request.ui_dispatch_view = search
+search = `cs_wineventlog_security` EventCode IN (4768, 4771) Result_Code="0x17" \
+| dedup ComputerName Account_Name \
+| `cs_human_readable_time_format(_time, event_time)` \
+| table event_time ComputerName Account_Name src_ip user_type status \
+| `cs_user_privilege_mapping(Account_Name)` \
+| eval cyences_severity = if(is_privileged_user=="Yes", "high", "medium") \
+| `cs_ad_login_failure_due_to_password_expire_filter`
+action.cyences_notable_event_action = 1
+action.cyences_notable_event_action.param.filter_macro_name = cs_ad_login_failure_due_to_password_expire_filter
+action.cyences_notable_event_action.contributing_events = `cs_wineventlog_security` EventCode IN (4768, 4771) Result_Code="0x17"
+action.cyences_send_email_action = 1
+action.cyences_notable_event_action.products = Windows, Windows AD
+
+
 
 # ============
 # Ransomware