Avatar of Deepak Muralidharan
Deepak Muralidharan
Flag for Singapore

asked on 

Cisco ISE trying to use Super user credentials to access AD servers

Hi Experts,

Is there a way to check on Cisco ISE logs why it's using Some privileged account to access various AD servers around the global branches ?  Is there any setting or log filter show why or which device being acceSsed by ISE ?

Logs like below found on SIEM,
Caller computer name : \\ companyISE01
Caller IP address :
Account lock out : Administrator
Account lockout Domain: domain name

Subject account name : user account
Subject account domain: domain

Device host ame : company.us.com
Device event class ID : Microsoft-windows -security - auditing:4740

This rule triggers on every instance windows event ID 4740- a user account was locked out.

Active DirectoryNetwork SecurityCiscoNetwork ManagementNetwork Operations

Avatar of undefined
Last Comment
Deepak Muralidharan

8/22/2022 - Mon