I don’t think you need the "Unknown username or bad password part, event 4625 is exactly that, no more, no less.
Rather than catching that in an Extractor, if you put it through pipeline rules. you can augment the information in the message. For instance, the link I gave above has a translation tables for the status/substatus code of the bad login… which you can place in a table to look up when the event happens and tell more about the bad login. There is another table for logon “type” if you are interested, that link has a “cheat sheet” you can download that has key windows security events (short list) to work with.
So with a pipeline and a rule like the one below nad it’s table lookups, you can get more detail and more presentable on your alert.
rule "bad_password_rule"
when
// Bad Password
to_string($message.winlog_event_id) == "4625"
then
let subject_0 = concat("PW-BAD: ", to_string($message.winlog_event_data_TargetUserName));
let subject_1 = concat(subject_0, " connecting to ");
let subject_fin = concat(subject_1, to_string($message.winlog_host_name));
set_field("short_detail", subject_fin);
//
// create detail of alert
let LogonTypeNumber = to_string($message.winlog_event_data_LogonType); //logon type... interactive, batch, etc...
let LogonTypeResult = lookup_value("winLogonType",LogonTypeNumber, 0); //Lookup logon type against bre-built table
let LogonTypeErr = lookup_value("WinLogonErr" ,to_string($message.winlog_event_data_SubStatus), 0); //lookup error reason in pre-built table.
let build_mess_0 = concat("Failed Password Attempt - ", to_string($message.winlog_event_data_TargetUserName)); //build out explanation for Error message
let build_mess_1 = concat(build_mess_0, " attempting to log in to ");
let build_mess_2 = concat(build_mess_1, to_string($message.winlog_event_SubjectDomainName));
let build_mess_3 = concat(build_mess_2, "-");
let build_mess_4 = concat(build_mess_3, to_string($message.winlog_host_name));
let build_mess_5 = concat(build_mess_4, ". Logon Type: ");
let build_mess_6 = concat(build_mess_5, to_string(LogonTypeResult));
let build_mess_7 = concat(build_mess_6, ". Attempt came from: ");
let build_mess_8 = concat(build_mess_7, to_string($message.winlog_event_data_WorkstationName));
let build_mess_9 = concat(build_mess_8, ". ERROR: ");
let build_mess_fin = concat(build_mess_9, to_string(LogonTypeErr));
set_field("the_explanation", build_mess_fin);
route_to_stream("security_reports");
end
and you can get a line out it similar to this:
Failed Password Attempt - greg.smith@kubernetes.com attempting to log in to DockerApp. Logon Type: NetworkClearText. Attempt came from: DockerOne. ERROR: User name is correct but the password is wrong - NTLM