- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- Re: Account lockout
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Experts
I am completely new to spunk, I have a two requirements.
1. One of my user is getting locked and how can check in splunk lets say user1 is getting locked i know event id 4740 but how can i check in splunk using this eventid
- One of my user is removed from an AD group, how can i check who has removed it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @risingflight143,
I think that you're already ingesting WinEventLog:Security logs.
First question is easy:
index=wineventlog EventCode=4740
| dedup Account_name
| sort Account_name
| table Account_name
(please check if the user field name is Account_name in your servers.
The second one is more complex because, you have to enable your Domain Controller to log these events (by default they aren't) and then run a search as above using EventCode=4729 OR EventCode=4757 OR EventCode=4733
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
will the below syntax work for all users whose accounts were locked out in last 1 hour.
is host=* does it search for all domain controllers.
for all users
sourcetype=wineventlog:security EventCode=4740 earliest=<-1h> (host="dc01*" OR host="dc02*") | table _time Caller_Computer_Name Account_Name EventCode Source_Network_Address Workstation_Name
for single user
sourcetype=wineventlog:security Account_Name=user1 EventCode=4740 earliest=<-1h> (host="dc01*" OR host="dc02*") | table _time Caller_Computer_Name Account_Name EventCode Source_Network_Address Workstation_Name
Logging is enabled on all my domain controllers, i have security group by name group1 and how i use these event ids to see who has removed or added users from this group
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @risingflight143,
I think that you're already ingesting WinEventLog:Security logs.
First question is easy:
index=wineventlog EventCode=4740
| dedup Account_name
| sort Account_name
| table Account_name
(please check if the user field name is Account_name in your servers.
The second one is more complex because, you have to enable your Domain Controller to log these events (by default they aren't) and then run a search as above using EventCode=4729 OR EventCode=4757 OR EventCode=4733
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
will the below syntax work for all users whose accounts were locked out in last 1 hour.
is host=* does it search for all domain controllers.
for all users
index=wineventlog Account_Name= EventCode=4740 earliest=<-1h> host=* | table _time Caller_Computer_Name Account_Name EventCode Source_Network_Address Workstation_Name
for single user
index=wineventlog Account_Name=user1 EventCode=4740 earliest=<-1h> host=* | table _time Caller_Computer_Name Account_Name EventCode Source_Network_Address Workstation_Name
Logging is enabled on all my domain controllers, i have security group by name group1 and how i use these event ids to see who has removed or added users from this group
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @risingflight143,
the condition host=* isn't important because by default host=*, it could ve useful the condition host= if you want to limit the search only to Domain Controllers.
About the time limits, you can insert in the search using earliest or managing them in the time picker and the alert scheduling.
About the second question, if logging is enabled, the above EventCodes identify the events you want.
If my answer solves your question, please accept and/or upvote it (for the use of other people), otherwise, how can I help you?
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Will the below syntax work for all usres
sourcetype=wineventlog:security EventCode=4740 earliest=<-1h> (host="dc01*" OR host="dc02*") | table _time Caller_Computer_Name Account_Name EventCode Source_Network_Address Workstation_Name
Will the below syntax work for single user
sourcetype=wineventlog:security Account_Name=user1 EventCode=4740 earliest=<-1h> (host="dc01*" OR host="dc02*") | table _time Caller_Computer_Name Account_Name EventCode Source_Network_Address Workstation_Name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @risingflight143,
probably it's a problem of visualization, but earliest is a little different:
index=winevenlog sourcetype=wineventlog:security EventCode=4740 earliest=-h (host="dc01*" OR host="dc02*")
| table _time Caller_Computer_Name Account_Name EventCode Source_Network_Address Workstation_Name
P.S.: use always index as search parameter, you'll have faster searches.
I didn't understand if this search works for you or not.
If not, what's the message or the wrong result?
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this for lockouts:
(sourcetype="WinEventLog:Security" EventCode=4740 src_ip!="127.0.0.1")
| stats count by src_ip,user, user_email, dest, subject
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
