Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Active Directory Lockout alerts

jared_anderson
Path Finder
‎01-10-2013 07:21 AM

I have active directory sending logs to my Splunk server via a Universal forwarder. I want to create alerts for when a user locks themselves out of Active Directory. What is the best way to do this?

Tags (1)
0 Karma
Reply

jan_wohlers
Path Finder
‎03-12-2013 02:50 AM

EventCode=4740 host=* --> This will show you all lock out events occuring. "Caller Name" ist the server/System from where the lockout comes from

Reply

jared_anderson
Path Finder
‎03-13-2013 07:10 AM

I think the problem I have is that we have multiple domain controllers, and the forwarder isn't on the main one. So I don't get the actual lockout event, just the replication across the DCs

0 Karma
Reply

mbenwell
Communicator
‎02-27-2013 09:08 PM

Look at the Active Directory App. As part of this app you will get all sorts of field extractions, dashboards and eventtypes (including one for account lockouts).

So... then just search for the eventtype:

eventtype=msad-account-lockout

0 Karma
Reply

stephennbh
New Member
‎02-27-2013 06:35 PM

How could I run this search against my whole domain for all the domain controllers instead of one DC host?

0 Karma
Reply

kristian_kolb
Ultra Champion
‎01-10-2013 07:59 AM

Assuming that you have the security log in splunk, the following search would probably work

sourcetype=wineventlog:security host=<your domain controller> Failure_Reason="Account locked out." | eval acc=mvindex(Account_Name,1)| table _time acc

This gives you a list of anyone trying to log in with a locked account. Set up a scheduled search, and report when number of results is > 0.

Hope this helps,

Kristian

0 Karma
Reply

kristian_kolb
Ultra Champion
‎01-11-2013 12:04 AM

Hmm, yes, I think that this event will be generated the when the account gets locked as well.

0 Karma
Reply

jared_anderson
Path Finder
‎01-10-2013 10:29 AM

would this only work if they tried to log in when they were already locked out? If they locked the account out, then never tried to log in again, would this report find anything?

0 Karma
Reply
Get Updates on the Splunk Community!

The OpenTelemetry Certified Associate (OTCA) Exam

What’s this OTCA exam? The Linux Foundation offers the OpenTelemetry Certified Associate (OTCA) credential to ...

From Manual to Agentic: Level Up Your SOC at Cisco Live

Welcome to the Era of the Agentic SOC   Are you tired of being a manual alert responder? The security ...

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)

Welcome back to Splunk Classroom Chronicles, our ongoing series where we shine a light on what really happens ...