All Apps and Add-ons

Windows Infra app: "Account Lockout Activity - User" panel does not populate any data for EventCode=4740( a user lock-out ) Windows Security Event

Masa
Splunk Employee
Splunk Employee

"Account Lockout Activity - User" does not return any data

Splunk(v6.2.3)
Window Infrastructure app (1.1.3)
Splun_TA_windows(4.7.5)
SA-ldapsearch(2.1.0)

If I search EventCode=4740, results includes many events.

Other panels in the same view are all populated.

Masa
Splunk Employee
Splunk Employee

1) Fix field extraction dest_nt_domain if they are not populated.
(ref: http://answers.splunk.com/answers/215946/splunk-add-on-for-microsoft-windows-why-am-i-getti.html )

  • transforms.conf

    [User_ID_as_dest_nt_domain]
    SOURCE_KEY = User_ID
    REGEX = ^([^\]+)
    FORMAT = dest_nt_domain::$1

    [Security_ID_as_dest_nt_domain]
    SOURCE_KEY = Security_ID
    REGEX = ^([^\]+)
    FORMAT = dest_nt_domain::$1

    [Target_Account_ID_as_dest_nt_domain]
    SOURCE_KEY = Target_Account_ID
    REGEX = ^([^\]+)
    FORMAT = dest_nt_domain::$1

    [Security_ID_as_src_nt_domain]
    SOURCE_KEY = Security_ID
    REGEX = ^([^\]+)
    FORMAT = src_nt_domain::$1

2) Make sure ldap.conf has a proper alias
Here is an example of alternatedomain properties;

  • ldap.conf

    [splunk.kom]
    alternatedomain = SPLUNK
    [support.splunk.kom]
    alternatedomain = SUPPORT

3) In $SPLUNK_HOME/etc/apps/splunk_app_windows_infrastructure/local, add and edit palettesearches.conf
=> For Windows, a path separator is a back slash.
=> First refer to $SPLUNK_HOME/etc/apps/splunk_app_windows_infrastructure/default/palettesearches.conf
=> find stanza named ldaprecord.nt_domain.search.
=> Change the search string in the stanza by replacing DomainDNSname with DomainNetBIOSName.
=> This will make displaying DomainNetBIOSName instead of DomainDNSname in drop-down.

Here is an example;

  • $SPLUNK_HOME/etc/apps/splunk_app_windows_infrastructure/local/palettesearches.conf

    [ldaprecord.nt_domain.search]
    search = | inputlookup DomainSelector | eval nt_domain=DomainNetBIOSName | dedup nt_domain | table nt_domain

4) In the same palettesearches.conf, add and edit stanza name ActiveDirectory.UserAuditAccountLockoutActivity.Search.
=> First refer to $SPLUNK_HOME/etc/apps/splunk_app_windows_infrastructure/default/palettesearches.conf
=> Replace src_host with src_nt_host in "| eval actor=..."
=> This will set a proper Actor value

  • $SPLUNK_HOME/etc/apps/splunk_app_windows_infrastructure/local/palettesearches.conf

    [ActiveDirectory.UserAuditAccountLockoutActivity.Search]
    search = eventtype=msad-account-lockout user="$ldaprecord.user$" dest_nt_domain="$ldaprecord.nt_domain$" \
    | dedup consecutive=T EventCode \
    | eval adminuser=src_nt_domain."\".src_user \
    | eval actor=if(EventCode==4767 OR EventCode==671,adminuser,src_nt_host) \
    | table _time,signature,actor \
    |rename signature as "Action",actor as "Actor"

5) In Windows TA, for Caller_Computer_Name_as_src_nt_host, add and edit the following props.conf and transforms.conf entry.
=> This will add Caller_Computer_Name as src_nt_host which will be used as Actor value

  • $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local/props.conf

    [source::*:Security]
    REPORT-src_nt_host_for_windows_security = Source_Workstation_as_src_nt_host,Workstation_Name_as_src_nt_host,Caller_Machine_Name_as_src_nt_host,Client_Machine_Name_as_src_nt_host, Caller_Computer_Name_as_src_nt_host

  • $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local/transforms.conf

    [Caller_Computer_Name_as_src_nt_host]
    SOURCE_KEY = Caller_Computer_Name
    REGEX = ([^\]+)$
    FORMAT = src_nt_host::$1

6) Optional: To make the table result from single record to multiple records for Account Lockout Activity User

  • $SPLUNK_HOME/etc/apps/splunk_app_windows_infrastructure/local/palettesearches.conf

    [ActiveDirectory.UserAuditAccountLockoutActivity.Search]
    search = eventtype=msad-account-lockout user="$ldaprecord.user$" dest_nt_domain="$ldaprecord.nt_domain$" \
    | eval adminuser=src_nt_domain."\".src_user \
    | eval actor=if(EventCode==4767 OR EventCode==671,adminuser,src_nt_host) \
    | table _time, signature,actor, src_nt_host, user \
    | stats count max(_time) AS maxtime min(_time) AS mintime values(user) AS Users by signature actor src_nt_host \
    | convert ctime(*time) \
    | rename mintime AS "Earliest", maxtime AS "Latest", signature as "Action", src_nt_host as "Workstation", actor as "Actor" \
    | table Actor Users Action Earliest Latest count

Masa
Splunk Employee
Splunk Employee

Note that when you upgrade the app and TA, the problem might have been fixed. So, please double-check the view without these changes and see if the issue still exist or not.

0 Karma
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...