topic Re: Account keeps getting locked out in Security

Account keeps getting locked out

jovnice — Tue, 19 Nov 2024 15:43:30 GMT

I have an employee who keeps getting locked out. I wanted to know how to put a script in to find out which device is getting locked out.

Re: lock out account

ITWhisperer — Tue, 19 Nov 2024 15:41:30 GMT

Do you have logs ingested into Splunk?

Can you share some anonymised examples of the events you are trying to detect?

Re: Account keeps getting locked out

jovnice — Thu, 21 Nov 2024 12:59:26 GMT

index=* source="activedirectory" eventtype="ad-files" Event*

These are the logs I have. They give me a lot of information. However, it is not the computer name that is getting locked out or if they are off-site.

Re: Account keeps getting locked out

ITWhisperer — Tue, 19 Nov 2024 15:59:28 GMT

Thanks. That was the search not the events. Do you have any evidence in logs that you have ingested into Splunk that the user is getting locked out?

Re: Account keeps getting locked out

jovnice — Tue, 19 Nov 2024 16:06:14 GMT

That search shows some who are locked out and some people who log in to a device. It shows some of everything. I wish it would determine who is locked out instead of stating no for everything.

Re: Account keeps getting locked out

ITWhisperer — Tue, 19 Nov 2024 16:20:19 GMT

Please share anonymised examples of your log events.

Re: Account keeps getting locked out

jovnice — Thu, 21 Nov 2024 12:57:32 GMT

_time user desc OU hostName lockout

How is this for an example?

Re: Account keeps getting locked out

ITWhisperer — Tue, 19 Nov 2024 17:47:44 GMT

From what you have shown so far, if the EventCode is "True", the user is locked out and you set lockout to "Yes", but you haven't shown any events where this is the case. Is this because there are no events like this?

Re: Account keeps getting locked out

jovnice — Tue, 19 Nov 2024 18:54:21 GMT

It does show locked-out users as well as unlocked users. Honestly, I know who is locked out and who is not. I wish it would be stated yes when it is instead of no for everyone. But the real issue I have is. How can I know what computer is locked out or if it is off-site?

Re: Account keeps getting locked out

ITWhisperer — Tue, 19 Nov 2024 23:48:42 GMT

Splunk can only report what it finds in the logged events or something it "calculates" from the events. So, the question remains, what evidence do you have in your log events that show that the user is locked out or off-site? (To be fair, you haven't told us what "locked out" or "off-site" mean, let alone shown evidence of these states!)

Re: Account keeps getting locked out

jovnice — Wed, 20 Nov 2024 13:01:08 GMT

I understand you're not able to help. Thanks for your help anyway.

Re: Account keeps getting locked out

richgalloway — Wed, 20 Nov 2024 13:53:07 GMT

It's very difficult to help with a search when we don't know what is being searched. Something in your indexed data must be showing when an account is locked out. Show us those events and we can help you craft a search for them.

Re: Account keeps getting locked out

jovnice — Wed, 20 Nov 2024 14:00:26 GMT

Thanks so much for trying to help me. I agree with what you stated. Something is wrong. However. I did;

I posted what was in the what was in the search.

Then, I posted what was ingested from the logs. I'm not sure what more information you need from me.

Re: Account keeps getting locked out

dural_yyz — Wed, 20 Nov 2024 14:20:29 GMT

| eval lockout=if(EventCode =True,"Yes","No")

Can you share how the field "EventCode" is evaluated. You shared your search and the results from your search. What would be helpful is an anonymized raw event which feeds into your search.

Any event which indicates an account is in lock out status may not show where the authentication attempt came from. This is why knowing the raw event is helpful to outsiders providing feedback. If you are really trying to discover the root of account lock outs then you need a search for failed log in attempts. The 2 data sets might come from different log entries.

Re: Account keeps getting locked out

ITWhisperer — Wed, 20 Nov 2024 14:27:49 GMT

What you posted with respect to the logs was a table of value for fields (presumably derived from your events). What would be more useful is the raw events e.g. the _raw field for the events you are trying to use to determine which device(s) the user(s) is(are) locked out from. If this evidence is not in your raw event data, it is highly unlikely that Splunk can help you find it. Having said that, there may be a sequence or possibly an incomplete sequence of events that indicate that a user failed to connect. For example, you may have evidence in your logs of connections and failed log in attempts on those sessions, or even just connection attempts. We have no idea until you share what information you have.

Re: Account keeps getting locked out

jovnice — Fri, 22 Nov 2024 12:57:24 GMT

Thanks for the information and explaining again what information you wanted. Here is the raw data you requested:

Re: Account keeps getting locked out

jovnice — Wed, 20 Nov 2024 15:08:28 GMT

Thank for the information

Re: Account keeps getting locked out

jovnice — Wed, 20 Nov 2024 15:48:17 GMT

As I looked into the information you asked me for, the eventcode is supposed to lock out event code 4740, and it stated yes for lockout if it locks out. And No, if it is not. But in the raw data. It seems like my lockout question, doesn't exist.

Re: Account keeps getting locked out

ITWhisperer — Wed, 20 Nov 2024 16:38:41 GMT

So you don't have any events for the locked accounts?

Re: Account keeps getting locked out

jovnice — Wed, 20 Nov 2024 16:43:12 GMT

The Statistics show locked and unlocked accounts, but the raw data does not show the event codes 4740 for yes and no.