Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Account locked out

Gayathirik
Path Finder
‎08-30-2016 04:46 AM

index=winsec EventCode="4624" | dedup user| stats count as total by _time host user src_ip

The above query wrks fine for extracting the sourceip for acccount logged on.

But!!

index=winsec EventCode="4740" | dedup user| stats count as total by _time host user src_ip is not working to extarct the ip address of the machine that got account locked out.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎08-30-2016 05:28 AM

i just checked, the Event ID 4740 is not capturing the source ip's. its collecting only Computer names (host gives short hostname, ComputerName gives the FQDN). 

index=winsec EventCode="4740" | dedup user| stats count as total by _time host user ComputerName

maybe, from ComputerName, you can do a dnslookup.

updated - to get src_ip, maybe a subsearch will help - 

index=winsec [search index=winsec EventCode="4740" | dedup user| table ComputerName] | stats count as total by _time host user src_ip
thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

View solution in original post

Reply
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎08-30-2016 05:28 AM

i just checked, the Event ID 4740 is not capturing the source ip's. its collecting only Computer names (host gives short hostname, ComputerName gives the FQDN). 

index=winsec EventCode="4740" | dedup user| stats count as total by _time host user ComputerName

maybe, from ComputerName, you can do a dnslookup.

updated - to get src_ip, maybe a subsearch will help - 

index=winsec [search index=winsec EventCode="4740" | dedup user| table ComputerName] | stats count as total by _time host user src_ip
thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply
Solved! Jump to solution

Gayathirik
Path Finder
‎08-30-2016 06:29 AM

Yes, i have already used with computer name still i need to extract the sourceip that would give evn more clarification when the account is locked from a particular src_ip rather than computername..

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎08-30-2016 07:20 PM

to get src_ip, maybe a subsearch will help -

index=winsec [search index=winsec EventCode="4740" | dedup user| table ComputerName] | stats count as total by _time host user src_ip

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply
Solved! Jump to solution

Gayathirik
Path Finder
‎08-31-2016 01:33 AM

This really wrks!!!Thanks a lot!!!

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎08-31-2016 02:44 AM

Hi Gayathri, can you please mark this as the accepted answer (and (few) upvotes please 😉 )

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply
Solved! Jump to solution

jpolcari
Communicator
‎08-30-2016 06:32 AM

The src_ip is NOT available from Event ID 4740

More info: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4740

If you are looking for more information on what caused the lockout, you would need to look more into the failed logon attempts that lead up to the lockout.

0 Karma
Reply
Get Updates on the Splunk Community!

New Year, New Changes for Splunk Certifications

As we embrace a new year, we’re making a small but important update to the Splunk Certification ...

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...