Archive
Highlighted

Getting Started Question: Finding failed Windows logon attempts

Explorer

Ok, Great! So we just got splunk running. Now what.

I've gone out and told it to grab AD data, so I thought Hey, how do I find failed logon attempts on the network? Even better, can I set a trigger to alert me when someone fails X times and the account gets locked out?

Any takers for a rookie question?

Tags (3)
Highlighted

Re: Getting Started Question: Finding failed Windows logon attempts

Splunk Employee
Splunk Employee

You might want to take a look at the Splunk App for Active Directory, which includes a dashboard for user logon failures. If you're going to install that app, be sure to read the New to Splunk? topic in that manual.

You can set up an alert based on those saved searches; see the Splunk Alerting Manual for more information.

Highlighted

Re: Getting Started Question: Finding failed Windows logon attempts

Super Champion

You should get yourself a copy of the Windows Security Operations Center.

It will have pre-built searches and dashboards for this activity.

However, you can do what you ask without the app. To find and alert on locked accounts use the following search:

index=main sourcetype="*security*" EventCode=644 OR EventCode=4740

In the upper right select Create > Alert, give it a name and select realtime, and select Next.

Select Send Email, and enter your email address.

Select Include Results - Inline

Select Next and select your Sharing option.

Select Finish.

View solution in original post

Highlighted

Re: Getting Started Question: Finding failed Windows logon attempts

Super Champion

I assume you have configured your smtp setting in Splunk.

0 Karma
Highlighted

Re: Getting Started Question: Finding failed Windows logon attempts

Explorer

yeah, so apparently i'm not completely talking to active directory until I install some forwarders. I saw "add data source" for AD or whatever on the firstrun page and did that.

Apparently its a bit more involved.

0 Karma
Highlighted

Re: Getting Started Question: Finding failed Windows logon attempts

Super Champion

You don't need to install forwarders necessarily.
Go to Manager > Data Inputs > Remote Event Log Collections and select New. This will use WMI. You will need a windows domain account.

0 Karma
Highlighted

Re: Getting Started Question: Finding failed Windows logon attempts

Explorer

Will it prompt for the domain account or is it configured somewhere?

0 Karma
Highlighted

Re: Getting Started Question: Finding failed Windows logon attempts

Super Champion

The service account that runs splunkd on the indexer needs to be a domain account. Here is an older post that speaks to WMI:
http://answers.splunk.com/answers/3701/how-to-get-wmi-data-collection-by-providing-to-splunk-the-rem...

Highlighted

Re: Getting Started Question: Finding failed Windows logon attempts

Explorer

Great! This worked. Thanks!
Now we're hammering the daily limit for the free system. May have to dial it back a notch. 🙂

0 Karma
Highlighted

Re: Getting Started Question: Finding failed Windows logon attempts

Super Champion

Do you have the deployment monitor app installed?
The initial data dump will be pretty large because it will collect all of the logs.

The deployment monitor > License Usage tab will show the indexing volume change over time.
Splunk support can help with license violations.