Reporting

False user account lockout

brpsingara
Explorer

Hello,
I am receiving the false user account lockout report on particular user account.
I am getting one user account lockout report daily with count of 25 to 40. But the user is active state, he is able to login and doing his daily tasks.and I cross checked with system administrator team, is the user active or locked. They told the user us active. From July 3rd I am receiving, user account same, host same, only
I don’t know why splunk triggering that particular user account lockouts.

Here the code which I am using for daily report.

Sourcetype=WinEventLog.Security Event=4740
| stats count by Accout_Name
|sort – count 
| rename count as “Accout Lockouts”

If I search particular user account below event codes are also showing,

user=”Kiran”

A user account was locked out - 4740
A new process had been created - 4688
The state of a transaction has changed – 4985
Source WinEventLog.Security
Sourcetype WinEventLog.Security
Host SYS-MACHINE1, SYS-MACHINE2, SYS-MACHINE3
Action modified & success
Msad_action 35

May I know is the problem with splunk or anything else ?

Tags (1)

nick405060
Motivator

It is very interesting that you posted this. My company is having the exact same problem this week; it is not a Splunk problem it is a problem with our larger IT infrastructure. Can you keep me updated, because we do not understand why lockout events are being generated when the user is not actually locked out.

On your end, it is likely not a Splunk problem either, as Splunk is merely ingesting the 4740 logs from your (presumably) domain controller. You can look at the contents of the events and the timestamps to verify there is no duplication or reingestion.

0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...