All Apps and Add-ons

How to detect domain lockouts and configure an alert to trigger every time a user is locked out with proper throttling?

kchengfojp
Engager

Hi,

We currently have a standalone setup for Splunk and would like to receive alerts from Splunk when an account is locked out so that we may unlock the account manually. Company policy does not allow for auto-unlocking (health insurance sector) and users are often frustrated on when they get locked out.

Currently I have done the following:

  • Set up Splunk Forwarder to our Splunk Web server from three of our domain controllers
  • Created a dashboard from the Active Directory add-on and Windows Infrastructure App
  • Created panels within that dashboard that are appropriate for this task
  • Information/data is feeding through so that is not a problem

Problems:

  • We want to get an alert everytime a user is locked out
  • What we've done so far is used that same query that splunk auto provides within the dashboard and set up an alert from that, but everytime we do it, we get spammed via e-mail. We do a trigger per result.

We've done throttling too and it doesn't seem to work 100% as what if two people are locked out simultaneously? And what term do I put to throttle?

Does anyone have similar set ups to this?

Lastly, I've noticed that running this search job/alert job takes up a lot of resources in terms of "cleaning the dispatch logs"

0 Karma

dolejh76
Communicator

I use this search for a dashboard. Might be able to use this to help in your query...

index=wineventlog EventCode=4740 host=* | stats count by Account_Name | sort - count | rename Account_Name to "User Name", count to "Number of Lockouts"

0 Karma

dolejh76
Communicator

PS - we use the AD addon but this is just from the event logs.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...