topic Re: Getting Started Question: Finding failed Windows logon attempts in Splunk Search

Getting Started Question: Finding failed Windows logon attempts

TylerTreat — Tue, 27 Aug 2013 15:09:00 GMT

Ok, Great! So we just got splunk running. Now what.

I've gone out and told it to grab AD data, so I thought Hey, how do I find failed logon attempts on the network? Even better, can I set a trigger to alert me when someone fails X times and the account gets locked out?

Any takers for a rookie question?

Re: Getting Started Question: Finding failed Windows logon attempts

ChrisG — Tue, 27 Aug 2013 15:22:52 GMT

You might want to take a look at the Splunk App for Active Directory, which includes a dashboard for user logon failures. If you're going to install that app, be sure to read the New to Splunk? topic in that manual.

You can set up an alert based on those saved searches; see the Splunk Alerting Manual for more information.

Re: Getting Started Question: Finding failed Windows logon attempts

lukejadamec — Tue, 27 Aug 2013 15:24:51 GMT

You should get yourself a copy of the Windows Security Operations Center.

It will have pre-built searches and dashboards for this activity.

However, you can do what you ask without the app. To find and alert on locked accounts use the following search:

index=main sourcetype="*security*" EventCode=644 OR EventCode=4740

In the upper right select Create > Alert, give it a name and select realtime, and select Next.

Select Send Email, and enter your email address.

Select Include Results - Inline

Select Next and select your Sharing option.

Select Finish.

Re: Getting Started Question: Finding failed Windows logon attempts

lukejadamec — Tue, 27 Aug 2013 15:59:14 GMT

I assume you have configured your smtp setting in Splunk.

Re: Getting Started Question: Finding failed Windows logon attempts

TylerTreat — Tue, 27 Aug 2013 19:03:12 GMT

yeah, so apparently i'm not completely talking to active directory until I install some forwarders. I saw "add data source" for AD or whatever on the firstrun page and did that.

Apparently its a bit more involved.

Re: Getting Started Question: Finding failed Windows logon attempts

lukejadamec — Tue, 27 Aug 2013 19:11:03 GMT

You don't need to install forwarders necessarily.
Go to Manager > Data Inputs > Remote Event Log Collections and select New. This will use WMI. You will need a windows domain account.

Re: Getting Started Question: Finding failed Windows logon attempts

TylerTreat — Tue, 27 Aug 2013 19:39:02 GMT

Will it prompt for the domain account or is it configured somewhere?

Re: Getting Started Question: Finding failed Windows logon attempts

lukejadamec — Tue, 27 Aug 2013 19:47:26 GMT

The service account that runs splunkd on the indexer needs to be a domain account. Here is an older post that speaks to WMI:
http://answers.splunk.com/answers/3701/how-to-get-wmi-data-collection-by-providing-to-splunk-the-remote-host-credentials

Re: Getting Started Question: Finding failed Windows logon attempts

TylerTreat — Wed, 28 Aug 2013 15:40:51 GMT

Great! This worked. Thanks!
Now we're hammering the daily limit for the free system. May have to dial it back a notch. 🙂

Re: Getting Started Question: Finding failed Windows logon attempts

lukejadamec — Wed, 28 Aug 2013 15:55:33 GMT

Do you have the deployment monitor app installed?
The initial data dump will be pretty large because it will collect all of the logs.

The deployment monitor > License Usage tab will show the indexing volume change over time.
Splunk support can help with license violations.

Re: Getting Started Question: Finding failed Windows logon attempts

lukejadamec — Wed, 28 Aug 2013 17:11:20 GMT

Don't forget to accept the answer. It lets other folks know the issue is closed.