False user account lockout

brpsingara · ‎07-18-2019

Hello,
I am receiving the false user account lockout report on particular user account.
I am getting one user account lockout report daily with count of 25 to 40. But the user is active state, he is able to login and doing his daily tasks.and I cross checked with system administrator team, is the user active or locked. They told the user us active. From July 3rd I am receiving, user account same, host same, only
I don’t know why splunk triggering that particular user account lockouts.

Here the code which I am using for daily report.

Sourcetype=WinEventLog.Security Event=4740
| stats count by Accout_Name
|sort – count 
| rename count as “Accout Lockouts”

If I search particular user account below event codes are also showing,

user=”Kiran”

A user account was locked out - 4740
A new process had been created - 4688
The state of a transaction has changed – 4985
Source WinEventLog.Security
Sourcetype WinEventLog.Security
Host SYS-MACHINE1, SYS-MACHINE2, SYS-MACHINE3
Action modified & success
Msad_action 35

May I know is the problem with splunk or anything else ?

nick405060 · ‎07-18-2019

It is very interesting that you posted this. My company is having the exact same problem this week; it is not a Splunk problem it is a problem with our larger IT infrastructure. Can you keep me updated, because we do not understand why lockout events are being generated when the user is not actually locked out.

On your end, it is likely not a Splunk problem either, as Splunk is merely ingesting the 4740 logs from your (presumably) domain controller. You can look at the contents of the events and the timestamps to verify there is no duplication or reingestion.

False user account lockout

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life