index=winsec EventCode="4624" | dedup user| stats count as total by _time host user src_ip
The above query wrks fine for extracting the sourceip for acccount logged on.
But!!
index=winsec EventCode="4740" | dedup user| stats count as total by _time host user src_ip is not working to extarct the ip address of the machine that got account locked out.
i just checked, the Event ID 4740 is not capturing the source ip's. its collecting only Computer names (host gives short hostname, ComputerName gives the FQDN).
index=winsec EventCode="4740" | dedup user| stats count as total by _time host user ComputerName
maybe, from ComputerName, you can do a dnslookup.
updated - to get src_ip, maybe a subsearch will help -
index=winsec [search index=winsec EventCode="4740" | dedup user| table ComputerName] | stats count as total by _time host user src_ip
i just checked, the Event ID 4740 is not capturing the source ip's. its collecting only Computer names (host gives short hostname, ComputerName gives the FQDN).
index=winsec EventCode="4740" | dedup user| stats count as total by _time host user ComputerName
maybe, from ComputerName, you can do a dnslookup.
updated - to get src_ip, maybe a subsearch will help -
index=winsec [search index=winsec EventCode="4740" | dedup user| table ComputerName] | stats count as total by _time host user src_ip
Yes, i have already used with computer name still i need to extract the sourceip that would give evn more clarification when the account is locked from a particular src_ip rather than computername..
to get src_ip, maybe a subsearch will help -
index=winsec [search index=winsec EventCode="4740" | dedup user| table ComputerName] | stats count as total by _time host user src_ip
This really wrks!!!Thanks a lot!!!
Hi Gayathri, can you please mark this as the accepted answer (and (few) upvotes please 😉 )
The src_ip is NOT available from Event ID 4740
More info: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4740
If you are looking for more information on what caused the lockout, you would need to look more into the failed logon attempts that lead up to the lockout.