EventViewerX: report CallerComputerName for 4740 lockouts

[PrzemyslawKlys]

Fix ADUserLockouts (event 4740) to populate the caller machine name from the event field CallerComputerName.

• Adds CallerComputerName
• Sets ComputerLockoutOn as a back-compat alias to CallerComputerName

Build:

• dotnet build Sources\EventViewerX\EventViewerX.csproj -c Release

[claude]

Claude finished @PrzemyslawKlys's task —— View job

---

Code Review Complete ✅

Todo List:

• Read and analyze the changed ADUserLockouts.cs file
• Review code quality and best practices
• Check for potential bugs or issues
• Assess performance considerations
• Evaluate security concerns
• Review test coverage needs
• Provide comprehensive feedback

Review Summary

The implementation looks solid overall. The changes correctly add CallerComputerName field extraction and provide backward compatibility through the ComputerLockoutOn alias.

Code Quality & Best Practices ✅

• Good: Clear XML documentation with appropriate <summary> tags
• Good: Follows established patterns in the codebase for data extraction using GetValueFromDataDictionary
• Good: Maintains consistency with other rule classes in the same namespace
• Good: Proper null/whitespace handling with trimming

Potential Issues 🟡

Minor: The ComputerLockoutOn property at ADUserLockouts.cs:30 is assigned but never validated independently. If CallerComputerName extraction fails, both properties will be empty string, which is acceptable but worth noting.

Performance Considerations ✅

• Good: Efficient string operations with single Trim() call
• Good: Early null/whitespace check avoids unnecessary processing
• Good: Direct assignment pattern minimizes allocations

Security Concerns ✅

• Good: Input sanitization through Trim() removes potential whitespace-based injection attempts
• Good: Safe null handling prevents null reference exceptions
• Good: No sensitive data exposure in the implementation

Test Coverage Needs 🔴

Missing: No unit tests found for ADUserLockouts class in the test suite. Consider adding tests for:

• CallerComputerName extraction with various input values (null, empty, whitespace, valid values)
• Backward compatibility verification for ComputerLockoutOn alias
• Edge cases like malformed event data

Technical Details

The implementation correctly extracts the CallerComputerName field from Windows Security Event 4740 (account lockout) data dictionary at ADUserLockouts.cs:46-48. This provides the actual source machine where bad password attempts originated, which is crucial for security incident investigation.

Recommendations

1. Add unit tests to verify CallerComputerName extraction behavior
2. Consider adding integration tests with sample 4740 events to validate end-to-end functionality

The code changes are production-ready and follow the established patterns well.

[PrzemyslawKlys]

Applied suggestion: CallerComputerName is now trimmed safely (string.IsNullOrWhiteSpace => empty). Build verified: dotnet build Sources\EventViewerX\EventViewerX.csproj -c Release.