Alerting

Account lockout notifications to be sent to separate depts based on which accounts get locked out? Can I send notifications for a group of users to a separate IT team on AD Account Lockout?

New Member

Hi all,

I work for my local county and we have several IT departments for different divisions.

I was wondering if Splunk can be configured to send account lockout notifications to specified email addresses based on the accounts that get locked out.

We just switched over from SolarWinds to Splunk. In SolarWinds we configured it to monitor certain AD accounts in a security group and only notify the IT department that manages those accounts.

Our IT person who has implemented Splunk says this is not possible and that it is all or nothing. Is this true? If not, is there documentation somewhere that would show how to configure this? I did a quick search and wasn't able to find anything that specifically answered my question. I'd like to provide our Splunk admin with something to go on to get this configured so we aren't all getting 40-50 account lockout notifications per day.

Thanks,
Brandon

,Hi all,

I work for the county. And we just switched over to Splunk from SolarWinds. We have a couple of different IT departments depending on the division. Right now all account lockouts across the county are being sent to every IT team (email we have configure sends to them all). SolarWinds was able to notify a different email address when certain accounts in an AD security group got locked out.

I was wondering if there was a way to send notifications to certain IT groups based on which ad accounts get locked out.

Our IT person handling Splunk is saying that this isn't possible and that it is all or nothing. I find this hard to believe. Are they correct?

Thanks,
Brandon

0 Karma

SplunkTrust
SplunkTrust

I would say you can, but it will take some work to create the search logic and lookup tie-ins. You can dynamically send emails to different groups based on results using something like sendresults (https://splunkbase.splunk.com/app/1794/). You can run a search that looks for account lockouts, query LDAP (https://splunkbase.splunk.com/app/1151/) for the group and see which IT team they are assigned to, and send result only to that team. Depending on the size of your AD you may want to schedule a search once a day or however frequent you need to pull the relevant AD information and output to CSV lookup in Splunk so your search looking for lockouts isn't constantly hitting LDAP.

0 Karma

SplunkTrust
SplunkTrust

Yes, by default a Splunk alert is all or nothing, but it is possible to dynamically alert with a little work.

0 Karma