I am trying to find where total account lockouts that are greater than 2 within the time frame of 30 mins.
This is to find out potential malicious activity where someone is trying to possibility crack a password for an account.
our lockout threshold is 15 mins and it gets unlocked. This way I can see if someone possibly has tried to log into an account more than 2 times and locked an account in 30 mins.
Here is my query which gives me total results >2, but i am not sure how to specify the timeframe of 30 mins in the query.
Any help would be appreciated.
description="Account Lockouts" EventCode=4740 user="*" host=primarydc
| stats count as total by user, host
| where total > 2
if you need to create an alert, you can use your search putting as time period:
and schedule this alert every 30 minutes.
if you want to create a panel, you could use timechart command:
description="Account Lockouts" EventCode=4740 user="*" host=primarydc | eval col=user." ".host | timechart span=30m count as total by col | where total > 2
P.S.: use always index in your searches, it's faster.
you may want to run this more often, maybe every 5 minutes and find a way to deal with dups. Or run it over a longer period and use delta to find the time between alerts. If you run it every 30, you could miss failed attempts that cross timespans.
For example, if it runs on the 0 &30 minute mark and attempts fail on the 57 and 02 minute marks. The first run at the 0 min would only see the attempt at 57 and the run at the 30 mark would only see the attempt at 2nd minute. And so even though the attempts are 5 minutes apart, your alert would miss them.
Thank you so much Guiseppe. Great help.
Question - what is the below used for, can you please give me some context?
| eval col=user." ".host
When I use that query, I see that there are events but I get no statistical table with results i.e "0 statistics".
About the first question, you have to create a timechart with two parameterts, user and host, but timechart can take only one parameter, in thjis way you can use two parameters in timechart.
About the second question, if you use
| where total>2, you add a filter for your Alert: in this way, if you have results, alert is triggered otherwise not.
If instaed you want to use this search in a panel, you can remove the filter and see all the results.