Hi Experts
I am completely new to spunk, I have a two requirements.
1. One of my user is getting locked and how can check in splunk lets say user1 is getting locked i know event id 4740 but how can i check in splunk using this eventid
Hi @risingflight143,
I think that you're already ingesting WinEventLog:Security logs.
First question is easy:
index=wineventlog EventCode=4740
| dedup Account_name
| sort Account_name
| table Account_name
(please check if the user field name is Account_name in your servers.
The second one is more complex because, you have to enable your Domain Controller to log these events (by default they aren't) and then run a search as above using EventCode=4729 OR EventCode=4757 OR EventCode=4733
Ciao.
Giuseppe
You can use below splunk to check locked out accounts
sourcetype="wineventlog" EventCode=4740 OR EventCode=644 |eval src_nt_host=if(isnull(src_nt_host),host,src_nt_host) |stats latest(_time) AS time latest(src_nt_host) AS host BY dest_nt_domain user |eval ltime=strftime(time,"%c") |table ltime,dest_nt_domain user host |rename ltime AS "Lockout Time",dest_nt_domain AS Domain,user AS "Account Locked Out", host AS "Workstation"
will the below syntax work for all users whose accounts were locked out in last 1 hour.
is host=* does it search for all domain controllers.
for all users
sourcetype=wineventlog:security EventCode=4740 earliest=<-1h> (host="dc01*" OR host="dc02*") | table _time Caller_Computer_Name Account_Name EventCode Source_Network_Address Workstation_Name
for single user
sourcetype=wineventlog:security Account_Name=user1 EventCode=4740 earliest=<-1h> (host="dc01*" OR host="dc02*") | table _time Caller_Computer_Name Account_Name EventCode Source_Network_Address Workstation_Name
Logging is enabled on all my domain controllers, i have security group by name group1 and how i use these event ids to see who has removed or added users from this group
Hi @risingflight143,
I think that you're already ingesting WinEventLog:Security logs.
First question is easy:
index=wineventlog EventCode=4740
| dedup Account_name
| sort Account_name
| table Account_name
(please check if the user field name is Account_name in your servers.
The second one is more complex because, you have to enable your Domain Controller to log these events (by default they aren't) and then run a search as above using EventCode=4729 OR EventCode=4757 OR EventCode=4733
Ciao.
Giuseppe
will the below syntax work for all users whose accounts were locked out in last 1 hour.
is host=* does it search for all domain controllers.
for all users
index=wineventlog Account_Name= EventCode=4740 earliest=<-1h> host=* | table _time Caller_Computer_Name Account_Name EventCode Source_Network_Address Workstation_Name
for single user
index=wineventlog Account_Name=user1 EventCode=4740 earliest=<-1h> host=* | table _time Caller_Computer_Name Account_Name EventCode Source_Network_Address Workstation_Name
Logging is enabled on all my domain controllers, i have security group by name group1 and how i use these event ids to see who has removed or added users from this group
Hi @risingflight143,
the condition host=* isn't important because by default host=*, it could ve useful the condition host= if you want to limit the search only to Domain Controllers.
About the time limits, you can insert in the search using earliest or managing them in the time picker and the alert scheduling.
About the second question, if logging is enabled, the above EventCodes identify the events you want.
If my answer solves your question, please accept and/or upvote it (for the use of other people), otherwise, how can I help you?
Ciao.
Giuseppe
Will the below syntax work for all usres
sourcetype=wineventlog:security EventCode=4740 earliest=<-1h> (host="dc01*" OR host="dc02*") | table _time Caller_Computer_Name Account_Name EventCode Source_Network_Address Workstation_Name
Will the below syntax work for single user
sourcetype=wineventlog:security Account_Name=user1 EventCode=4740 earliest=<-1h> (host="dc01*" OR host="dc02*") | table _time Caller_Computer_Name Account_Name EventCode Source_Network_Address Workstation_Name
Hi @risingflight143,
probably it's a problem of visualization, but earliest is a little different:
index=winevenlog sourcetype=wineventlog:security EventCode=4740 earliest=-h (host="dc01*" OR host="dc02*")
| table _time Caller_Computer_Name Account_Name EventCode Source_Network_Address Workstation_Name
P.S.: use always index as search parameter, you'll have faster searches.
I didn't understand if this search works for you or not.
If not, what's the message or the wrong result?
Ciao.
Giuseppe
Try this for lockouts:
(sourcetype="WinEventLog:Security" EventCode=4740 src_ip!="127.0.0.1")
| stats count by src_ip,user, user_email, dest, subject