Active directory disable user

65 views
Skip to first unread message

Furkan İzci

unread,
Oct 16, 2024, 8:42:14 AM10/16/24
to Wazuh | Mailing List
Hello,
I want to disable the user who has logon failure 3 times in MS SQL server in active directory. How can i do this?

61071.png

Delfina Lizarralde Bressan

unread,
Oct 16, 2024, 10:18:49 AM10/16/24
to Wazuh | Mailing List
Hi Furkan!

To disable a user after three failed login attempts with Wazuh, you would first need to create a rule to detect failed login attempts.
https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html
Then, you would create an active response that runs a script to deactivate the user in Active Directory when the rule for three failed logins is triggered. Wazuh's active response framework allows you to take automatic actions based on triggered rules.
Use a PowerShell script to disable the user, and make sure Wazuh can run PowerShell scripts and has the appropriate permissions to disable accounts in Active Directory.
https://documentation.wazuh.com/current/user-manual/capabilities/active-response/index.html

After configuring the rule and active response, restart the Wazuh Manager to apply the changes, and test the setup by deliberately failing the MS SQL logon as the test user three times to confirm that the account is disabled automatically.

Let me know if this information is useful to you.
Regards!
Reply all
Reply to author
Forward
0 new messages