topic Re: Failed Login to Locked out account in Splunk Search

Failed Login to Locked out account

mihall — Mon, 08 Jun 2020 17:41:30 GMT

I am trying to identify an event that fires when a login has been attempted to a previously locked account. I am not looking for failed logins or lockout events. I just want the failed login attempt that occurred on an account that was already locked out. Any help figuring out how to design a query for this would be great.

Re: Failed Login to Locked out account

abhijit_mhatre — Tue, 29 Sep 2020 14:57:06 GMT

Hi Mihall,

If an account gets locked out, the next event coming would be either a failed logon(EventCode4625) or Kerberos pre-authentication failed(4771) event for that particular account. You can use the below query:

index=winsec EventCode=4625 OR EventCode=4771 user=abc(locked out user) | eval Time=strftime(_time,"%Y-%m-%d %H:%M:%S") | dedup user ComputerName | eval Error=coalesce(Failure_Reason, Failure_Code)| table Time user Error EventCodeDescription

Let me know if this works.
Thanks.

Re: Failed Login to Locked out account

mihall — Wed, 19 Jul 2017 17:45:36 GMT

The results produced are showing all failed logins, including events that occurred due to a failed password attempt. Is there a way to narrow this down further so that it's only showing events that came after a lockout. Thanks

Re: Failed Login to Locked out account

abhijit_mhatre — Thu, 20 Jul 2017 10:03:23 GMT

The event which will occur after an account gets locked out, would be a failed login event. So if user=abc gets locked out, the next event for user=abc would be failed logon. EventCode 4625 would show you failed logon events

Re: Failed Login to Locked out account

mihall — Thu, 20 Jul 2017 12:47:32 GMT

So would the following search and subsearch find the locked out accounts and look for failed logon attempts to them?

EventCode=4625 [search EventCode=4740] | table user, _time

Re: Failed Login to Locked out account

abhijit_mhatre — Thu, 20 Jul 2017 14:39:34 GMT

Yes it would work, just modifying the query a little bit:

index=winsec EventCode=4625 user=abc | append [search EventCode=4740 user=abc] | table user, _time

Re: Failed Login to Locked out account

mihall — Thu, 20 Jul 2017 15:34:38 GMT

what does append do here?

Re: Failed Login to Locked out account

abhijit_mhatre — Thu, 20 Jul 2017 15:48:18 GMT

It will append the search result of one search with another.

Re: Failed Login to Locked out account

jchintha — Wed, 30 Sep 2020 05:36:54 GMT

Locked out account searchform

Account Lockout Search

eventtype="windows_events" sourcetype="WinEventLog:Security" EventCode=4740 OR EventCode=4723 OR EventCode=4724 OR EventCode=4625 OR EventCode=4769 OR EventCode=4767 OR EventCode=4776 user="$user$" | eval Workstation_Name=coalesce(Workstation_Name,Source_Workstation) | table _time, src_ip, user, action, Workstation_Name, src_nt_host, name, Failure_Reason | rename name AS Description | sort user

<!-- the default is a text box, with no seed value; if user does not input
      a value, then the $from$ token in searchTemplate will be removed -->
<input type="text" token="user">
  <default>*</default>
</input>
<input type="time">
  <default>
    <earliestTime>-15m</earliestTime>
    <latestTime>now</latestTime>
  </default>
</input>


<panel>
  <table>
    <event>
      <title>Results</title>
      <option name="count">50</option>
    </event>
  </table>
</panel>


<panel>
  <chart>
    <title>Top Descriptions</title>
    <searchPostProcess>| top limit=20 Description</searchPostProcess>
    <option name="charting.chart">bar</option>
  </chart>
</panel>
<panel>
  <chart>
    <title>Top Source IP by Time</title>
    <searchPostProcess>| timechart count by src_ip limit=10</searchPostProcess>
    <option name="charting.chart">bar</option>
  </chart>
</panel>


<panel>
  <table>
    <title>Count over time</title>
    <searchPostProcess>| chart sparkline count by user</searchPostProcess>
    <format field="sparkline" type="sparkline"></format>
  </table>
</panel>