topic Re: How to create an alert when a windows account is lockout and there is an unlock event within 5 mins of the being locked in Splunk Search

How to create an alert when a windows account is lockout and there is an unlock event within 5 mins of the being locked

djreschke — Tue, 03 Dec 2019 20:21:19 GMT

Good afternoon everyone,

Can someone point me in the right direction to creating an alert when a windows account is lockout and there is an unlock event within 5 mins of the being locked. I have the search built for both events but I am having trouble adding in the condition of the unlock event within 5 minutes.

Any help would be appreciated. Thank you

Here is the search I built to join the two searches but this is not what I am looking for:

index=wineventlog EventCode=4767 
| bin _time span=5m 
| stats count by Account_Name name 
| sort - count 
| rename count AS "Number of Unlocks" name AS "Unlock_Description" 
| join Account_Name 
    [ search index=wineventlog  EventCode=4740 
    | bin _time span=5m 
    | stats count by Account_Name name 
    | sort - count 
    | rename count AS "Number of Lockouts" name AS "Lockout_Description"] 
| table Account_Name "Unlock_Description" "Number of Lockouts" "Lockout_Description" "Number of Unlocks"

Re: How to create an alert when a windows account is lockout and there is an unlock event within 5 mins of the being locked

gcusello — Wed, 04 Dec 2019 07:54:28 GMT

Hi @djreschke,
you could use the transaction command or the stats command,

with transaction something like this:

index=wineventlog EventCode=4767 OR EventCode=4740
| transaction  host Account_Name startswith="EventCode=4767" endswith="EventCode=4740" maxspan=300s

or without transaction:

index=wineventlog EventCode=4767 OR EventCode=4740
| stats dc(EventCode) AS dcount earliest(_time) AS earliest  ltest(_time) AS latest BY host Account_Name
| where dcount=2 AND latest-earliest<300

The second one is more performant.

Ciao.
Giuseppe

Re: How to create an alert when a windows account is lockout and there is an unlock event within 5 mins of the being locked

djreschke — Wed, 04 Dec 2019 13:35:50 GMT

Giuseppe,

Thank for the searches, quick question, with the above searches how would I see if there where multiple lock and unlock events with the time frame?

Best,

Derek

Re: How to create an alert when a windows account is lockout and there is an unlock event within 5 mins of the being locked

gcusello — Wed, 04 Dec 2019 15:55:05 GMT

Hi @djreschke,
if you're sure that in tha observing period there's only one lock/unlock, you could add a stats count at the end of the search.

If instead you could have more lock/unlock in the same period, you have to use transaction adding a stats count at the end

index=wineventlog EventCode=4767 OR EventCode=4740
| transaction  host Account_Name startswith="EventCode=4767" endswith="EventCode=4740" maxspan=300s
| statas count BY host Account_Name

Ciao.
Giuseppe