topic How to create an alert for lockouts in Windows event logs with details of failed activity in the last hour by src_ip? in Splunk Search

How to create an alert for lockouts in Windows event logs with details of failed activity in the last hour by src_ip?

kranthi851 — Tue, 11 Oct 2016 19:53:20 GMT

How to create an alert for lockouts in Windows Event Logs with the details of failed activity in last hour by src_ip's?

Re: How to create an alert for lockouts in Windows event logs with details of failed activity in the last hour by src_ip?

alemarzu — Tue, 11 Oct 2016 21:06:12 GMT

Hi @kranthi851

Try this out.

earliest=-1h@h latest=@h index=wineventlog sourcetype=WinEventLog:Security EventCode="4740"
| eval Account=mvindex(Account_Name, 1) 
| stats count, latest(_time) AS lastBlock by Account
| eval modtime=lastBlock - 3600 | fields - count
| map maxsearches=100 search="search index=wineventlog sourcetype=WinEventLog:Security EventCode="4625" earliest=$modtime$ latest=$lastBlock$ Account_Name=$Account$"
| eval Account=mvindex(Account_Name, 1) 
| regex Account!="\\$"
| stats count, latest(_time) AS lastFailure, values(Failure_Reason) AS failureReason by Account src_ip | convert ctime(lastFailure) | rename Account AS "Blocked Account", count AS LoginFailures

This will search for account blocks and then go back in time one hour to find login failures for the blocked user.

Hope it helps.

EDIT: Query updated.

Re: How to create an alert for lockouts in Windows event logs with details of failed activity in the last hour by src_ip?

kranthi851 — Tue, 11 Oct 2016 21:12:44 GMT

Hi alemarzu, I tried this one and it din't show the results.

Re: How to create an alert for lockouts in Windows event logs with details of failed activity in the last hour by src_ip?

alemarzu — Wed, 12 Oct 2016 16:02:30 GMT

Sorry about that. Tested on lab and fixed.

Re: How to create an alert for lockouts in Windows event logs with details of failed activity in the last hour by src_ip?

kranthi851 — Mon, 17 Oct 2016 19:32:19 GMT

Hi Alemarzu, Its showing the results, but when i change the Query with (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771 OR EventCode=4776) Keywords="Audit Failure")), its not working. is it possible to get the failed events by eventcode and src_ip?

Re: How to create an alert for lockouts in Windows event logs with details of failed activity in the last hour by src_ip?

alemarzu — Tue, 18 Oct 2016 20:19:43 GMT

Besides the changes you want to do now, the query worked out? If not, we have to start over.

Is not working with the eventcodes(4768,4771,4776) that you try to add for two main reasons:
- They have a completly different event structure.
- The query I've posted was made for those events only.

So please, let me know what you have in mind now so I can help you.

Re: How to create an alert for lockouts in Windows event logs with details of failed activity in the last hour by src_ip?

kranthi851 — Tue, 18 Oct 2016 20:24:49 GMT

Yes, The Query Worked. Thanks! I want to add other failure event codes as some account lockouts occurring of those event codes.

Re: How to create an alert for lockouts in Windows event logs with details of failed activity in the last hour by src_ip?

alemarzu — Wed, 19 Oct 2016 01:58:03 GMT

Okey then, give this a try, I don't have data to test it right now but let me know if it's not working aight ?

earliest=-1h@h latest=@h index=wineventlog sourcetype=WinEventLog:Security EventCode="4740" 
| eval Account=mvindex(Account_Name, 1)
| stats count, latest(_time) AS lastBlock by Account
| eval modtime=lastBlock - 3600 
| fields - count
| map maxsearches=100 search="search index=wineventlog sourcetype=WinEventLog:Security (EventCode="4625" OR EventCode="4768" OR EventCode="4771" OR EventCode="4776") earliest=$modtime$ latest=$lastBlock$ Account_Name=$Account$"
| eval Account=case(EventCode="4740" OR EventCode="4625", mvindex(Account_Name, 1), EventCode="4768" OR EventCode="4771", Account_Name, EventCode="4776", Logon_Account, 1=1, "Click-on-me")
| regex Account!="\\$"
| eval errorMessages=case(EventCode="4768", (EventCode."; ".Result_Code), EventCode="4771", (EventCode."; ".Failure_Code), EventCode="4776", (EventCode."; ".Error_Code), 1=1, "Click-on-me")
| stats count, latest(_time) AS lastFailure, values(Failure_Reason) AS failureReason, values(errorMessages) AS otherFailures by Account src_ip 
| convert ctime(lastFailure) 
| rename Account AS "Blocked Account", count AS LoginFailures

Should be same as before but this one has a new field called "otherFailures", that will hold the other types of failures that you have mentioned. It is a concatenated field holding the EventCode and Resulting Code.

edit: tested and working

Re: How to create an alert for lockouts in Windows event logs with details of failed activity in the last hour by src_ip

sowmiyansk — Thu, 18 Nov 2021 13:26:44 GMT

Please help me with the below Query

1. Account lockouts(4740) and then go back in time one hour to find login failures(4625) for the blocked user.

2. Login failure(4625) and then go back in time 2 hour to find account lockout(4740) for the same failed login user.

SOURCE LOG BELOW :

4740 EVENT

4625 EVENT

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4625</EventID><Version>0</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8010000000000000</Keywords><TimeCreated SystemTime='2021-11-18T12:44:43.074155100Z'/><EventRecordID>74779349</EventRecordID><Correlation ActivityID='{6527FA3B-D06B-4A13-A997-3F44717DF05B}'/><Execution ProcessID='716' ThreadID='1712'/><Channel>Security</Channel><Computer>TESTHOST123.TESTDOMAIN123.net</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NULL SID</Data><Data Name='SubjectUserName'>-</Data><Data Name='SubjectDomainName'>-</Data><Data Name='SubjectLogonId'>0x0</Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>TESTUSER123</Data><Data Name='TargetDomainName'>.</Data><Data Name='Status'>0xc000006d</Data><Data Name='FailureReason'>%%2313</Data><Data Name='SubStatus'>0xc0000064</Data><Data Name='LogonType'>3</Data><Data Name='LogonProcessName'>NtLmSsp </Data><Data Name='AuthenticationPackageName'>NTLM</Data><Data Name='WorkstationName'>TESTHOST123</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x0</Data><Data Name='ProcessName'>-</Data><Data Name='IpAddress'>172.19.19.19</Data><Data Name='IpPort'>53972</Data></EventData></Event>