topic Account Lockouts Report for Active Directory in Splunk Search

Account Lockouts Report for Active Directory

brookshelpdesk — Wed, 30 Sep 2020 02:14:35 GMT

Hello,

I'm running the following search that gives me accounts that get locked out and targets the specific domain controller that issues the security alert. I would like to add the time stamps when the user gets locked out:

(Current search)
index=main source=Security host= EventCode=4740
| stats count by Target_Domain Target_User_Name dvc

I tried playing around with the following search:
index=main source=Security host= EventCode=4740
| eval Account=if(Target_Account_Name!=NULL, Target_Account_Name, user)
| eval Machine=if(Caller_Machine_Name!=NULL, Caller_Machine_Name, Caller_Computer_Name)
| fillnull Value="Unknown" Machine
| eval Time=strftime(_time, "%m/%d/%y %H:%M:%S")
| dedup Time, Account
| dedup Account, Machine
| table Time, Account, Machine

(This search gives me the time stamp, the account name, but I don't see the domain controllers from this list). So, is there a way to get the domain controllers (see "current search" added to this?

Thanks in advance

Re: Account Lockouts Report for Active Directory

adonio — Sat, 21 Sep 2019 00:03:41 GMT

add the field _time to the split by
stats trims automatically all un-declared fields
something like this

   index=main source=Security host= EventCode=4740
    | stats count by Target_Domain Target_User_Name dvc _time

there are also many answers for this use case in this portal try and search: "4740" in the little search bar on top right

hope it helps

Re: Account Lockouts Report for Active Directory

brookshelpdesk — Sat, 21 Sep 2019 00:34:19 GMT

This was exactly what I was looking for. Just simply adding the _time gave me the info I needed (so simple).

Thank you

Re: Account Lockouts Report for Active Directory

brookshelpdesk — Sat, 21 Sep 2019 00:37:38 GMT

Adonio,

Thank you very much. That gave me the info I needed and all I needed to do was add the _time....So simple :}

Thanks,
Bob