Getting Data In
Highlighted

How can I create an alert for RDP logins without CyberArk credential check out

New Member

I am looking for a way to capture events where a user did not check out credentials from CyberArk before using them to RDP, so a scenario would be that someone checked out some credentials for 12 hours, he used it, then uses it again after 12 hours without doing another checkout.

I have a search where I am using a transaction command to capture CyberArk checkout events and Windows login events and looking for incomplete transactions with closed_txn=0. I have a query built but it does not seem to be capturing the right events because the result that shows up which has the two logs combined (Cyberark checkout and windows login) don’t have the correct information, the account name that was checked out does not match the account name used to login via RDP.

(index=wineventlog AND sourcetype="WinEventLog:Security" AND (LogonType=3 OR LogonType=10 OR LogonType=11) AND [inputlookup xxx.csv | fields + AccountName ])
OR (index=main AND sourcetype="cyberark:epv:cef" AND "Retrieve password" AND (cn2="(Action: Show Password)" OR cn2="(Action: Copy Password)"))
| eval "Logon Behaviour"=case(LogonType==3,"Interactive",LogonType==10,"Remote Interactive",LogonType==11,"Cached Interactive")
| eval "Windows Account"=mvindex(Account
Name,1)
| transaction startswith="Retrieve password" endswith="Logon Type" keepevicted=1 keeporphans=1
| search closedtxn=0
| bucket _time span=12h
| stats count by _time "Windows Account" action Workstation
Name "Logon Behaviour"
| rename action as "Logon Result" Workstation_Name as "Workstation"

Below are a sample checkout event and a sample RDP event. I would appreciate any help in figuring this out or a better way to accomplish something like this.

Check Out Event
Aug 16 06:50:53 XXXXXX ABC: 0|Cyber-Ark|Vault|9.80.0000|295|Retrieve password|5|act=Retrieve password suser=user1 fname=fname1 dvc=dvc1 shost=192..x.x.x dhost=dhost1 duser=duser1 externalId= app= reason= cs1Label="Affected User Name" cs1= cs2Label="Safe Name" cs2=EA_VSA cs3Label="Device Type" cs3=Operating System cs4Label="Database" cs4= cs5Label="Other info" cs5=192.168.122.30 cn1Label="Request Id" cn1= cn2Label="Ticket Id" cn2=(Action: Copy Password)Troubeshooting msg=(Action: Copy Password)Troubeshooting

RDP event

LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4625
EventType=0
Type=Information
ComputerName=computername1
TaskCategory=Logon
OpCode=Info
RecordNumber=12345678
Keywords=Audit Failure
Message=An account failed to log on.

Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: AccountName1
Account Domain: domain1
Logon ID: 0x3E7

Logon Type: 2

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: duser1
Account Domain: domain1

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC000006A

Process Information:
Caller Process ID: 0x5f4
Caller Process Name: C:\Program Files\process

Network Information:
Workstation Name: workstation1
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi

Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

0 Karma
Highlighted

Re: How can I create an alert for RDP logins without CyberArk credential check out

SplunkTrust
SplunkTrust

@akhan92394,

Does this general logic work for you ?

  • latest(_time) of events from two sources(windows,cyberark) by username
  • Calc diff between two times and if diff >12hrs, user hasn't retrieved password.
0 Karma