Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Best method of finding out why a Users AD account keeps getting locked out

AaronMoorcroft
Communicator
‎07-18-2017 01:22 AM

Hi Guys,

We get a number of tickets for users accounts being locked out over and over again, I was wondering if anyone had any quick wins on how they find out the cause of this ?

I have been using - 

index=main sourcetype="*wineventlog:security" "usersADaccount" ("EventCode=4776" AND Keywords="Audit Failure") OR ("EventCode=680" AND "Failure Audit") NOT (Logon_Account="*$" OR Logon_account="*$")  | eval "User Account" = coalesce(Logon_Account,Logon_account)

This brings back the locked out events but I cant really see why its happening from this.

0 Karma
Reply

adonio
Ultra Champion
‎07-18-2017 04:38 AM

hello there,
not a full answer but from what i have seen in the past, many times the reason is many failed login attempts. windows logs it in event code 4625.
read here more:
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625
create a search that correlates the locked accounts with failed logins, maybe this is the reason
i wonder maybe your AD admin can help you as well to find root cause
hope it helps

Reply

AaronMoorcroft
Communicator
‎07-18-2017 07:51 AM

thank you, ill continue to plug away 🙂

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...