Re: Best method of finding out why a Users AD acco...

AaronMoorcroft · ‎07-18-2017

Hi Guys,

We get a number of tickets for users accounts being locked out over and over again, I was wondering if anyone had any quick wins on how they find out the cause of this ?

I have been using -

index=main sourcetype="*wineventlog:security" "usersADaccount" ("EventCode=4776" AND Keywords="Audit Failure") OR ("EventCode=680" AND "Failure Audit") NOT (Logon_Account="*$" OR Logon_account="*$")  | eval "User Account" = coalesce(Logon_Account,Logon_account)

This brings back the locked out events but I cant really see why its happening from this.

adonio · ‎07-18-2017

hello there,
not a full answer but from what i have seen in the past, many times the reason is many failed login attempts. windows logs it in event code 4625.
read here more:
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625
create a search that correlates the locked accounts with failed logins, maybe this is the reason
i wonder maybe your AD admin can help you as well to find root cause
hope it helps

AaronMoorcroft · ‎07-18-2017

thank you, ill continue to plug away 🙂

Best method of finding out why a Users AD account keeps getting locked out

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?