Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Active Directory User Lockout Report

soniquella
Path Finder
‎01-23-2018 03:52 AM

Good morning.

I hope you can help?

I have an existing dashboard which reports on user lock out orientated event codes from our DC's.

index=index_name sourcetype="WinEventLog:Security" EventCode=4740 OR EventCode=4771 OR EventCode=4625
|eval Source=case(EventCode==4771,Client_Address,EventCode==4740,Caller_Computer_Name,EventCode==4625,Source_Network_Address)
| eval Account_Name=if(EventCode==4771,Account_Name,mvindex(Account_Name,1)) | eval Account_Domain=case(EventCode==4771,Security_ID,EventCode==4740,Account_Domain,EventCode==4625,mvindex(Account_Domain,1))
| table _time, EventCode, Account_Name, Account_Domain, ComputerName, Source

Ultimately, I would like to generate a report whereby if a user is locked out (EventCode=4740) the previous 60 minutes log attempts are recorded showing source machine and also the machine which the user is attempting to connect to.
I will then go on to generate a script to put this in to e-mail format so that I can automatically e-mail the user with this report when they are locked out.

Can anyone help? To clarify, the EventCode=4740 would be the trigger and then I would need the previous 60 minutes log attempts including source machine and destination machine in a report. Would this be a transaction or span command?

Any help would be appreciated.

Kind regards,

Rob.

0 Karma
Reply

JordanPeterson
Path Finder
‎01-24-2018 05:30 PM

We have a similar setup: 

(host=dc*) source=WinEventLog:Security (EventCode=4740) (Target_Account_Name!=localadmin OR user!=localadmin) 
| eval Account=if(Target_Account_Name!=NULL, Target_Account_Name, user) 
| eval Machine=if(Caller_Machine_Name!=NULL, Caller_Machine_Name, Caller_Computer_Name) 
| fillnull Value="Unknown" Machine 
| eval Time=strftime(_time, "%m/%d/%y %H:%M:%S") 
| dedup Time, Account 
| dedup Account, Machine 
| table Time, Account, Machine

This will result in giving us the Time, Account, and Machine where the lockout occurred but it doesn't include the previous logs. We have it setup to then email our HelpDesk team inbox so they can reach out to the user (fortunately we are a small enough company this is reasonable).

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk and TLS: It doesn't have to be too hard

Overview Creating a TLS cert for Splunk usage is pretty much standard openssl.  To make life better, use an ...

Faster Insights with AI, Streamlined Cloud-Native Operations, and More New Lantern ...

Splunk Lantern is a Splunk customer success center that provides practical guidance from Splunk experts on key ...

Splunk Enterprise Security: Your Command Center for PCI DSS Compliance

Every security professional knows the drill. The PCI DSS audit is approaching, and suddenly everyone's asking ...