Failed Logins with Cloud App Security - Locked account

Question

I have created a policy that alerts when Activity Type equals "Failed log on" AND App equals "Active Directory". What I would like to be able to also find is a policy/report in CASB to show when an account is "LOCKED".

Cheers,

caroline_lee · Answer

SergioT1228&nbsp;Hi, one way you'd be able to see this is under the investigate blade &gt; users and accounts &gt; filter on the status=Suspended. Does that help?

sarahzin_shane · Answer

In addition to Caroline’s response, wanted to confirm that when you’re using Active Directory, that’s showing the alerts coming through Azure ATP as Azure ATP alerts are filtered using the application filter to Active Directory. You’re trying to find Azure ATP detected logins?
SergioT1228&nbsp;

sergiot1228 · Answer

Sarahzin_Shane&nbsp;Caroline_Lee&nbsp;Thank you both for your reply.&nbsp;Our ultimate goal is to replace our current 3rd party tool with CASB to secure our user Identity concerns.We are trying to get a weekly report for Failed Logons and locked accounts.&nbsp; As ATP is setup on all our DC's, we are looking for Failed logon from AD as well as local accounts on workgroup servers if possible.&nbsp; As I look through the report, it would be great to see the username that was utilized along with the reason it failed.&nbsp; it appears sometimes it has an account name but not always the username.&nbsp; I'm working with Advanced Hunting to see if there is anything there I can use to help supplement our reporting needs.&nbsp;My current action items from our team:Schedule weekly report - Failed logon attemptsSchedule weekly report - Locked accounts for the week&nbsp;Again, Thank you for your time.&nbsp;Cheers,

sergiot1228 · Answer

Sarahzin_Shane&nbsp;Caroline_Lee&nbsp;Thank you both for your reply.&nbsp;

Forum Discussion

Failed Logins with Cloud App Security - Locked account

4 Replies

Resources