1) Fix field extraction dest_nt_domain if they are not populated.
(ref: http://answers.splunk.com/answers/215946/splunk-add-on-for-microsoft-windows-why-am-i-getti.html )

• transforms.conf

  [User_ID_as_dest_nt_domain]
  SOURCE_KEY = User_ID
  REGEX = ^([^\]+)
  FORMAT = dest_nt_domain::$1

  [Security_ID_as_dest_nt_domain]
  SOURCE_KEY = Security_ID
  REGEX = ^([^\]+)
  FORMAT = dest_nt_domain::$1

  [Target_Account_ID_as_dest_nt_domain]
  SOURCE_KEY = Target_Account_ID
  REGEX = ^([^\]+)
  FORMAT = dest_nt_domain::$1

  [Security_ID_as_src_nt_domain]
  SOURCE_KEY = Security_ID
  REGEX = ^([^\]+)
  FORMAT = src_nt_domain::$1

2) Make sure ldap.conf has a proper alias
Here is an example of alternatedomain properties;

• ldap.conf

  [splunk.kom]
  alternatedomain = SPLUNK
  [support.splunk.kom]
  alternatedomain = SUPPORT

3) In $SPLUNK_HOME/etc/apps/splunk_app_windows_infrastructure/local, add and edit palettesearches.conf
=> For Windows, a path separator is a back slash.
=> First refer to $SPLUNK_HOME/etc/apps/splunk_app_windows_infrastructure/default/palettesearches.conf
=> find stanza named ldaprecord.nt_domain.search.
=> Change the search string in the stanza by replacing DomainDNSname with DomainNetBIOSName.
=> This will make displaying DomainNetBIOSName instead of DomainDNSname in drop-down.

Here is an example;

• $SPLUNK_HOME/etc/apps/splunk_app_windows_infrastructure/local/palettesearches.conf

  [ldaprecord.nt_domain.search]
  search = | inputlookup DomainSelector | eval nt_domain=DomainNetBIOSName | dedup nt_domain | table nt_domain

4) In the same palettesearches.conf, add and edit stanza name ActiveDirectory.UserAuditAccountLockoutActivity.Search.
=> First refer to $SPLUNK_HOME/etc/apps/splunk_app_windows_infrastructure/default/palettesearches.conf
=> Replace src_host with src_nt_host in "| eval actor=..."
=> This will set a proper Actor value

• $SPLUNK_HOME/etc/apps/splunk_app_windows_infrastructure/local/palettesearches.conf

  [ActiveDirectory.UserAuditAccountLockoutActivity.Search]
  search = eventtype=msad-account-lockout user="$ldaprecord.user$" dest_nt_domain="$ldaprecord.nt_domain$" \
  | dedup consecutive=T EventCode \
  | eval adminuser=src_nt_domain."\".src_user \
  | eval actor=if(EventCode==4767 OR EventCode==671,adminuser,src_nt_host) \
  | table _time,signature,actor \
  |rename signature as "Action",actor as "Actor"

5) In Windows TA, for Caller_Computer_Name_as_src_nt_host, add and edit the following props.conf and transforms.conf entry.
=> This will add Caller_Computer_Name as src_nt_host which will be used as Actor value

• $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local/props.conf

  [source::*:Security]
  REPORT-src_nt_host_for_windows_security = Source_Workstation_as_src_nt_host,Workstation_Name_as_src_nt_host,Caller_Machine_Name_as_src_nt_host,Client_Machine_Name_as_src_nt_host, Caller_Computer_Name_as_src_nt_host

• $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local/transforms.conf

  [Caller_Computer_Name_as_src_nt_host]
  SOURCE_KEY = Caller_Computer_Name
  REGEX = ([^\]+)$
  FORMAT = src_nt_host::$1

6) Optional: To make the table result from single record to multiple records for Account Lockout Activity User

• $SPLUNK_HOME/etc/apps/splunk_app_windows_infrastructure/local/palettesearches.conf

  [ActiveDirectory.UserAuditAccountLockoutActivity.Search]
  search = eventtype=msad-account-lockout user="$ldaprecord.user$" dest_nt_domain="$ldaprecord.nt_domain$" \
  | eval adminuser=src_nt_domain."\".src_user \
  | eval actor=if(EventCode==4767 OR EventCode==671,adminuser,src_nt_host) \
  | table _time, signature,actor, src_nt_host, user \
  | stats count max(_time) AS maxtime min(_time) AS mintime values(user) AS Users by signature actor src_nt_host \
  | convert ctime(*time) \
  | rename mintime AS "Earliest", maxtime AS "Latest", signature as "Action", src_nt_host as "Workstation", actor as "Actor" \
  | table Actor Users Action Earliest Latest count