Security

Account lockout

risingflight143
New Member

Hi Experts
I am completely new to spunk, I have a two requirements.
1. One of my user is getting locked and how can check in splunk lets say user1 is getting locked i know event id 4740 but how can i check in splunk using this eventid

  1. One of my user is removed from an AD group, how can i check who has removed it.
0 Karma
1 Solution

gcusello
Legend

Hi @risingflight143,
I think that you're already ingesting WinEventLog:Security logs.

First question is easy:

index=wineventlog EventCode=4740
| dedup Account_name
| sort Account_name
| table Account_name

(please check if the user field name is Account_name in your servers.

The second one is more complex because, you have to enable your Domain Controller to log these events (by default they aren't) and then run a search as above using EventCode=4729 OR EventCode=4757 OR EventCode=4733

Ciao.
Giuseppe

View solution in original post

0 Karma

risingflight143
New Member

will the below syntax work for all users whose accounts were locked out in last 1 hour.
is host=* does it search for all domain controllers.

for all users

sourcetype=wineventlog:security EventCode=4740 earliest=<-1h> (host="dc01*" OR host="dc02*") | table _time Caller_Computer_Name Account_Name EventCode Source_Network_Address Workstation_Name

for single user

sourcetype=wineventlog:security Account_Name=user1 EventCode=4740 earliest=<-1h> (host="dc01*" OR host="dc02*") | table _time Caller_Computer_Name Account_Name EventCode Source_Network_Address Workstation_Name

Logging is enabled on all my domain controllers, i have security group by name group1 and how i use these event ids to see who has removed or added users from this group

0 Karma

gcusello
Legend

Hi @risingflight143,
I think that you're already ingesting WinEventLog:Security logs.

First question is easy:

index=wineventlog EventCode=4740
| dedup Account_name
| sort Account_name
| table Account_name

(please check if the user field name is Account_name in your servers.

The second one is more complex because, you have to enable your Domain Controller to log these events (by default they aren't) and then run a search as above using EventCode=4729 OR EventCode=4757 OR EventCode=4733

Ciao.
Giuseppe

0 Karma

risingflight143
New Member

will the below syntax work for all users whose accounts were locked out in last 1 hour.
is host=* does it search for all domain controllers.

for all users
index=wineventlog Account_Name= EventCode=4740 earliest=<-1h> host=* | table _time Caller_Computer_Name Account_Name EventCode Source_Network_Address Workstation_Name

for single user
index=wineventlog Account_Name=user1 EventCode=4740 earliest=<-1h> host=* | table _time Caller_Computer_Name Account_Name EventCode Source_Network_Address Workstation_Name

Logging is enabled on all my domain controllers, i have security group by name group1 and how i use these event ids to see who has removed or added users from this group

0 Karma

gcusello
Legend

Hi @risingflight143,
the condition host=* isn't important because by default host=*, it could ve useful the condition host= if you want to limit the search only to Domain Controllers.

About the time limits, you can insert in the search using earliest or managing them in the time picker and the alert scheduling.

About the second question, if logging is enabled, the above EventCodes identify the events you want.

If my answer solves your question, please accept and/or upvote it (for the use of other people), otherwise, how can I help you?

Ciao.
Giuseppe

0 Karma

risingflight143
New Member

Will the below syntax work for all usres

sourcetype=wineventlog:security EventCode=4740 earliest=<-1h>  (host="dc01*" OR host="dc02*") | table _time Caller_Computer_Name Account_Name EventCode Source_Network_Address Workstation_Name

Will the below syntax work for single user

sourcetype=wineventlog:security Account_Name=user1 EventCode=4740 earliest=<-1h> (host="dc01*" OR host="dc02*") | table _time Caller_Computer_Name Account_Name EventCode Source_Network_Address Workstation_Name
0 Karma

gcusello
Legend

Hi @risingflight143,
probably it's a problem of visualization, but earliest is a little different:

 index=winevenlog sourcetype=wineventlog:security EventCode=4740 earliest=-h  (host="dc01*" OR host="dc02*") 
| table _time Caller_Computer_Name Account_Name EventCode Source_Network_Address Workstation_Name

P.S.: use always index as search parameter, you'll have faster searches.

I didn't understand if this search works for you or not.
If not, what's the message or the wrong result?

Ciao.
Giuseppe

0 Karma

jscraig2006
Communicator

Try this for lockouts:

(sourcetype="WinEventLog:Security" EventCode=4740 src_ip!="127.0.0.1")
| stats  count by src_ip,user, user_email, dest, subject
0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...