Sep 22 2020 03:16 PM
I have created a policy that alerts when Activity Type equals "Failed log on" AND App equals "Active Directory". What I would like to be able to also find is a policy/report in CASB to show when an account is "LOCKED".
Cheers,
Sep 24 2020 06:43 AM
@SergioT1228 Hi, one way you'd be able to see this is under the investigate blade > users and accounts > filter on the status=Suspended. Does that help?
Sep 25 2020 09:53 PM - edited Sep 25 2020 09:54 PM
In addition to Caroline’s response, wanted to confirm that when you’re using Active Directory, that’s showing the alerts coming through Azure ATP as Azure ATP alerts are filtered using the application filter to Active Directory. You’re trying to find Azure ATP detected logins?
Sep 29 2020 08:43 AM
Thank you both for your reply.
Our ultimate goal is to replace our current 3rd party tool with CASB to secure our user Identity concerns.
We are trying to get a weekly report for Failed Logons and locked accounts. As ATP is setup on all our DC's, we are looking for Failed logon from AD as well as local accounts on workgroup servers if possible. As I look through the report, it would be great to see the username that was utilized along with the reason it failed. it appears sometimes it has an account name but not always the username. I'm working with Advanced Hunting to see if there is anything there I can use to help supplement our reporting needs.
My current action items from our team:
Schedule weekly report - Failed logon attempts
Schedule weekly report - Locked accounts for the week
Again, Thank you for your time.
Cheers,
Sep 29 2020 08:44 AM - edited Sep 29 2020 08:45 AM