https://community.splunk.com/t5/Security/Account-locked-out/m-p/261021#M13631 <P>index=winsec EventCode="4624" | dedup user| stats count as total by _time host user src_ip</P> <P>The above query wrks fine for extracting the <STRONG>sourceip</STRONG> for acccount logged on.</P> <P>But!!</P> <P>index=winsec EventCode="4740" | dedup user| stats count as total by _time host user src_ip is not working to extarct the ip address of the machine that got account locked out.</P> Tue, 29 Sep 2020 10:51:14 GMT Gayathirik 2020-09-29T10:51:14Z https://community.splunk.com/t5/Security/Account-locked-out/m-p/261021#M13631 <P>index=winsec EventCode="4624" | dedup user| stats count as total by _time host user src_ip</P> <P>The above query wrks fine for extracting the <STRONG>sourceip</STRONG> for acccount logged on.</P> <P>But!!</P> <P>index=winsec EventCode="4740" | dedup user| stats count as total by _time host user src_ip is not working to extarct the ip address of the machine that got account locked out.</P> Tue, 29 Sep 2020 10:51:14 GMT https://community.splunk.com/t5/Security/Account-locked-out/m-p/261021#M13631 Gayathirik 2020-09-29T10:51:14Z https://community.splunk.com/t5/Security/Account-locked-out/m-p/261022#M13632 <P>i just checked, the Event ID 4740 is not capturing the source ip's. its collecting only Computer names (host gives short hostname, ComputerName gives the FQDN). </P> <PRE><CODE>index=winsec EventCode="4740" | dedup user| stats count as total by _time host user ComputerName </CODE></PRE> <P>maybe, from ComputerName, you can do a dnslookup.</P> <P>updated - to get src_ip, maybe a subsearch will help - </P> <PRE><CODE>index=winsec [search index=winsec EventCode="4740" | dedup user| table ComputerName] | stats count as total by _time host user src_ip </CODE></PRE> Tue, 30 Aug 2016 12:28:12 GMT https://community.splunk.com/t5/Security/Account-locked-out/m-p/261022#M13632 inventsekar 2016-08-30T12:28:12Z https://community.splunk.com/t5/Security/Account-locked-out/m-p/261023#M13633 <P>Yes, i have already used with computer name still i need to extract the sourceip that would give evn more clarification when the account is locked from a particular src_ip rather than computername..</P> Tue, 30 Aug 2016 13:29:39 GMT https://community.splunk.com/t5/Security/Account-locked-out/m-p/261023#M13633 Gayathirik 2016-08-30T13:29:39Z https://community.splunk.com/t5/Security/Account-locked-out/m-p/261024#M13634 <P>The src_ip is NOT available from Event ID 4740</P> <P>More info: <A href="https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4740">https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4740</A></P> <P>If you are looking for more information on what caused the lockout, you would need to look more into the failed logon attempts that lead up to the lockout.</P> Tue, 30 Aug 2016 13:32:01 GMT https://community.splunk.com/t5/Security/Account-locked-out/m-p/261024#M13634 jpolcari 2016-08-30T13:32:01Z https://community.splunk.com/t5/Security/Account-locked-out/m-p/261025#M13635 <P>to get src_ip, maybe a subsearch will help -</P> <P>index=winsec [search index=winsec EventCode="4740" | dedup user| table ComputerName] | stats count as total by _time host user src_ip</P> Tue, 29 Sep 2020 10:47:32 GMT https://community.splunk.com/t5/Security/Account-locked-out/m-p/261025#M13635 inventsekar 2020-09-29T10:47:32Z https://community.splunk.com/t5/Security/Account-locked-out/m-p/261026#M13636 <P>This really wrks!!!Thanks a lot!!!</P> Wed, 31 Aug 2016 08:33:11 GMT https://community.splunk.com/t5/Security/Account-locked-out/m-p/261026#M13636 Gayathirik 2016-08-31T08:33:11Z https://community.splunk.com/t5/Security/Account-locked-out/m-p/261027#M13637 <P>Hi Gayathri, can you please mark this as the accepted answer (and (few) upvotes please <span class="lia-unicode-emoji" title=":winking_face:">😉</span> )</P> Wed, 31 Aug 2016 09:44:46 GMT https://community.splunk.com/t5/Security/Account-locked-out/m-p/261027#M13637 inventsekar 2016-08-31T09:44:46Z