One of the coolest things about working at ExtraHop is getting to hear stories about how fast customers start getting value from using our product. These stories often come from our team of dedicated trainers, who are on the front lines as customers learn how to leverage wire data to improve the performance and security of their operations.
Recently, one of our senior trainers completed a training session with the IT team of a large municipal police department. The IT team had been dealing with some recent login failure issues that were impacting officers' and court officials' ability to access arrest and court records needed for proper adjudication.
During the training, a participant asked a generic question regarding what ExtraHop could do with Active Directory (learn more about our Active Directory solution). Since the customer had the Active Directory bundle already installed, our trainer was able to look into the data gathered over the past week.
Upon first look, our trainer could tell that there was one account associated with most of the login failures. The login failures were coming from two adjacent IP addresses. Those IP addresses were associated with production infrastructure delivering services to internal stakeholders of the police department, including officers, court judges, and parole officers. This system allowed users to pull up identifying records about criminal history.
The account with the login failures belonged to a former member of the IT team. These login failures began the day the employee left - the same day his user account had been disabled. It turns out that this employee had installed an application under his user account instead of using a service account. When he left the department, the account was disabled, which in turn broke the application. This explained why the service had stopped working and why login attempts were failing.
Prior to ExtraHop, the IT team used a built-in log analysis tool to try to find the issue but didn't have any luck with traditional monitoring tools. ExtraHop proved much more powerful and gave them insights into not only the nature of the problem (failed logins), but the cause (disabled account) and the source (two specific IP addresses) in just a couple of minutes!
This issue had been pressing on the department for a few days, but within a matter of minutes ExtraHop was able to get to the root of the issue, allowing the department to change the application from a user to service account and restore access.