All Apps and Add-ons

Windows Infra app: "Account Lockout Activity - User" panel does not populate any data for EventCode=4740( a user lock-out ) Windows Security Event

Masa
Splunk Employee
Splunk Employee

"Account Lockout Activity - User" does not return any data

Splunk(v6.2.3)
Window Infrastructure app (1.1.3)
Splun_TA_windows(4.7.5)
SA-ldapsearch(2.1.0)

If I search EventCode=4740, results includes many events.

Other panels in the same view are all populated.

Masa
Splunk Employee
Splunk Employee

1) Fix field extraction dest_nt_domain if they are not populated.
(ref: http://answers.splunk.com/answers/215946/splunk-add-on-for-microsoft-windows-why-am-i-getti.html )

  • transforms.conf

    [User_ID_as_dest_nt_domain]
    SOURCE_KEY = User_ID
    REGEX = ^([^\]+)
    FORMAT = dest_nt_domain::$1

    [Security_ID_as_dest_nt_domain]
    SOURCE_KEY = Security_ID
    REGEX = ^([^\]+)
    FORMAT = dest_nt_domain::$1

    [Target_Account_ID_as_dest_nt_domain]
    SOURCE_KEY = Target_Account_ID
    REGEX = ^([^\]+)
    FORMAT = dest_nt_domain::$1

    [Security_ID_as_src_nt_domain]
    SOURCE_KEY = Security_ID
    REGEX = ^([^\]+)
    FORMAT = src_nt_domain::$1

2) Make sure ldap.conf has a proper alias
Here is an example of alternatedomain properties;

  • ldap.conf

    [splunk.kom]
    alternatedomain = SPLUNK
    [support.splunk.kom]
    alternatedomain = SUPPORT

3) In $SPLUNK_HOME/etc/apps/splunk_app_windows_infrastructure/local, add and edit palettesearches.conf
=> For Windows, a path separator is a back slash.
=> First refer to $SPLUNK_HOME/etc/apps/splunk_app_windows_infrastructure/default/palettesearches.conf
=> find stanza named ldaprecord.nt_domain.search.
=> Change the search string in the stanza by replacing DomainDNSname with DomainNetBIOSName.
=> This will make displaying DomainNetBIOSName instead of DomainDNSname in drop-down.

Here is an example;

  • $SPLUNK_HOME/etc/apps/splunk_app_windows_infrastructure/local/palettesearches.conf

    [ldaprecord.nt_domain.search]
    search = | inputlookup DomainSelector | eval nt_domain=DomainNetBIOSName | dedup nt_domain | table nt_domain

4) In the same palettesearches.conf, add and edit stanza name ActiveDirectory.UserAuditAccountLockoutActivity.Search.
=> First refer to $SPLUNK_HOME/etc/apps/splunk_app_windows_infrastructure/default/palettesearches.conf
=> Replace src_host with src_nt_host in "| eval actor=..."
=> This will set a proper Actor value

  • $SPLUNK_HOME/etc/apps/splunk_app_windows_infrastructure/local/palettesearches.conf

    [ActiveDirectory.UserAuditAccountLockoutActivity.Search]
    search = eventtype=msad-account-lockout user="$ldaprecord.user$" dest_nt_domain="$ldaprecord.nt_domain$" \
    | dedup consecutive=T EventCode \
    | eval adminuser=src_nt_domain."\".src_user \
    | eval actor=if(EventCode==4767 OR EventCode==671,adminuser,src_nt_host) \
    | table _time,signature,actor \
    |rename signature as "Action",actor as "Actor"

5) In Windows TA, for Caller_Computer_Name_as_src_nt_host, add and edit the following props.conf and transforms.conf entry.
=> This will add Caller_Computer_Name as src_nt_host which will be used as Actor value

  • $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local/props.conf

    [source::*:Security]
    REPORT-src_nt_host_for_windows_security = Source_Workstation_as_src_nt_host,Workstation_Name_as_src_nt_host,Caller_Machine_Name_as_src_nt_host,Client_Machine_Name_as_src_nt_host, Caller_Computer_Name_as_src_nt_host

  • $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local/transforms.conf

    [Caller_Computer_Name_as_src_nt_host]
    SOURCE_KEY = Caller_Computer_Name
    REGEX = ([^\]+)$
    FORMAT = src_nt_host::$1

6) Optional: To make the table result from single record to multiple records for Account Lockout Activity User

  • $SPLUNK_HOME/etc/apps/splunk_app_windows_infrastructure/local/palettesearches.conf

    [ActiveDirectory.UserAuditAccountLockoutActivity.Search]
    search = eventtype=msad-account-lockout user="$ldaprecord.user$" dest_nt_domain="$ldaprecord.nt_domain$" \
    | eval adminuser=src_nt_domain."\".src_user \
    | eval actor=if(EventCode==4767 OR EventCode==671,adminuser,src_nt_host) \
    | table _time, signature,actor, src_nt_host, user \
    | stats count max(_time) AS maxtime min(_time) AS mintime values(user) AS Users by signature actor src_nt_host \
    | convert ctime(*time) \
    | rename mintime AS "Earliest", maxtime AS "Latest", signature as "Action", src_nt_host as "Workstation", actor as "Actor" \
    | table Actor Users Action Earliest Latest count

Masa
Splunk Employee
Splunk Employee

Note that when you upgrade the app and TA, the problem might have been fixed. So, please double-check the view without these changes and see if the issue still exist or not.

0 Karma
Get Updates on the Splunk Community!

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...