How to search for failed logins of a specific Active Directory group?

SplunkLunk — Fri, 16 Sep 2016 12:57:53 GMT

Greetings. I am looking to search failed logins for a particular Active Directory group(s). I was thinking I'd have to do a subsearch based on what I've read in the forums. However, ldapsearch isn't an option due to the access I have in our managed Splunk (it's managed by a central team). So I can do a search for failed logins like so:

index=[my domain controllers index]  sourcetype=XmlWinEventLog:Security EventCode=4625 user!="*$" user!="SYSTEM" (LogonType=10 OR LogonType=3)

However, I don't know how to search just a specific group name at the same time and report on just the failed logins for members of that group. Alternatively I could add the members of the group individually, but since the group membership would change that would be ineffective (I wouldn't always be aware of the changes).

Does anyone have any advice?

Re: How to search for failed logins of a specific Active Directory group?

jmallorquin — Sat, 17 Sep 2016 17:39:11 GMT

Hi,

You should install and app to query the ldap for the members of the group that you want to filter.
https://splunkbase.splunk.com/app/1151/#/details

Hope i help you

topic Re: How to search for failed logins of a specific Active Directory group? in Splunk Search

How to search for failed logins of a specific Active Directory group?

Re: How to search for failed logins of a specific Active Directory group?