Security

Account locked out

Gayathirik
Path Finder

index=winsec EventCode="4624" | dedup user| stats count as total by _time host user src_ip

The above query wrks fine for extracting the sourceip for acccount logged on.

But!!

index=winsec EventCode="4740" | dedup user| stats count as total by _time host user src_ip is not working to extarct the ip address of the machine that got account locked out.

Tags (1)
0 Karma
1 Solution

inventsekar
Super Champion

i just checked, the Event ID 4740 is not capturing the source ip's. its collecting only Computer names (host gives short hostname, ComputerName gives the FQDN).

index=winsec EventCode="4740" | dedup user| stats count as total by _time host user ComputerName

maybe, from ComputerName, you can do a dnslookup.

updated - to get src_ip, maybe a subsearch will help -

index=winsec [search index=winsec EventCode="4740" | dedup user| table ComputerName] | stats count as total by _time host user src_ip
PS ... If any post helped you in any way, pls give a hi-five to the author with an upvote. if your issue got resolved, please accept the reply as solution.. thanks.

View solution in original post

inventsekar
Super Champion

i just checked, the Event ID 4740 is not capturing the source ip's. its collecting only Computer names (host gives short hostname, ComputerName gives the FQDN).

index=winsec EventCode="4740" | dedup user| stats count as total by _time host user ComputerName

maybe, from ComputerName, you can do a dnslookup.

updated - to get src_ip, maybe a subsearch will help -

index=winsec [search index=winsec EventCode="4740" | dedup user| table ComputerName] | stats count as total by _time host user src_ip
PS ... If any post helped you in any way, pls give a hi-five to the author with an upvote. if your issue got resolved, please accept the reply as solution.. thanks.

Gayathirik
Path Finder

Yes, i have already used with computer name still i need to extract the sourceip that would give evn more clarification when the account is locked from a particular src_ip rather than computername..

0 Karma

inventsekar
Super Champion

to get src_ip, maybe a subsearch will help -

index=winsec [search index=winsec EventCode="4740" | dedup user| table ComputerName] | stats count as total by _time host user src_ip

PS ... If any post helped you in any way, pls give a hi-five to the author with an upvote. if your issue got resolved, please accept the reply as solution.. thanks.

Gayathirik
Path Finder

This really wrks!!!Thanks a lot!!!

0 Karma

inventsekar
Super Champion

Hi Gayathri, can you please mark this as the accepted answer (and (few) upvotes please 😉 )

PS ... If any post helped you in any way, pls give a hi-five to the author with an upvote. if your issue got resolved, please accept the reply as solution.. thanks.

jpolcari
Communicator

The src_ip is NOT available from Event ID 4740

More info: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4740

If you are looking for more information on what caused the lockout, you would need to look more into the failed logon attempts that lead up to the lockout.

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...