Is there a way to check on Cisco ISE logs why it's using Some privileged account to access various AD servers around the global branches ? Is there any setting or log filter show why or which device being acceSsed by ISE ?
Logs like below found on SIEM,
Caller computer name : \\ companyISE01
Caller IP address :
Account lock out : Administrator
Account lockout Domain: domain name
Subject account name : user account
Subject account domain: domain
Device host ame : company.us.com
Device event class ID : Microsoft-windows -security - auditing:4740
This rule triggers on every instance windows event ID 4740- a user account was locked out.