Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Account locked out

Gayathirik
Path Finder
‎08-30-2016 04:46 AM

index=winsec EventCode="4624" | dedup user| stats count as total by _time host user src_ip

The above query wrks fine for extracting the sourceip for acccount logged on.

But!!

index=winsec EventCode="4740" | dedup user| stats count as total by _time host user src_ip is not working to extarct the ip address of the machine that got account locked out.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎08-30-2016 05:28 AM

i just checked, the Event ID 4740 is not capturing the source ip's. its collecting only Computer names (host gives short hostname, ComputerName gives the FQDN). 

index=winsec EventCode="4740" | dedup user| stats count as total by _time host user ComputerName

maybe, from ComputerName, you can do a dnslookup.

updated - to get src_ip, maybe a subsearch will help - 

index=winsec [search index=winsec EventCode="4740" | dedup user| table ComputerName] | stats count as total by _time host user src_ip
thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

View solution in original post

Reply
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎08-30-2016 05:28 AM

i just checked, the Event ID 4740 is not capturing the source ip's. its collecting only Computer names (host gives short hostname, ComputerName gives the FQDN). 

index=winsec EventCode="4740" | dedup user| stats count as total by _time host user ComputerName

maybe, from ComputerName, you can do a dnslookup.

updated - to get src_ip, maybe a subsearch will help - 

index=winsec [search index=winsec EventCode="4740" | dedup user| table ComputerName] | stats count as total by _time host user src_ip
thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply
Solved! Jump to solution

Gayathirik
Path Finder
‎08-30-2016 06:29 AM

Yes, i have already used with computer name still i need to extract the sourceip that would give evn more clarification when the account is locked from a particular src_ip rather than computername..

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎08-30-2016 07:20 PM

to get src_ip, maybe a subsearch will help -

index=winsec [search index=winsec EventCode="4740" | dedup user| table ComputerName] | stats count as total by _time host user src_ip

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply
Solved! Jump to solution

Gayathirik
Path Finder
‎08-31-2016 01:33 AM

This really wrks!!!Thanks a lot!!!

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎08-31-2016 02:44 AM

Hi Gayathri, can you please mark this as the accepted answer (and (few) upvotes please 😉 )

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply
Solved! Jump to solution

jpolcari
Communicator
‎08-30-2016 06:32 AM

The src_ip is NOT available from Event ID 4740

More info: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4740

If you are looking for more information on what caused the lockout, you would need to look more into the failed logon attempts that lead up to the lockout.

0 Karma
Reply
Get Updates on the Splunk Community!

Enhance Your Splunk App Development: New Tools & Support

UCC FrameworkAdd-on Builder has been around for quite some time. It helps build Splunk apps faster, but it ...

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...