Security

Best method of finding out why a Users AD account keeps getting locked out

AaronMoorcroft
Communicator

Hi Guys,

We get a number of tickets for users accounts being locked out over and over again, I was wondering if anyone had any quick wins on how they find out the cause of this ?

I have been using -

index=main sourcetype="*wineventlog:security" "usersADaccount" ("EventCode=4776" AND Keywords="Audit Failure") OR ("EventCode=680" AND "Failure Audit") NOT (Logon_Account="*$" OR Logon_account="*$")  | eval "User Account" = coalesce(Logon_Account,Logon_account)

This brings back the locked out events but I cant really see why its happening from this.

0 Karma

adonio
Ultra Champion

hello there,
not a full answer but from what i have seen in the past, many times the reason is many failed login attempts. windows logs it in event code 4625.
read here more:
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625
create a search that correlates the locked accounts with failed logins, maybe this is the reason
i wonder maybe your AD admin can help you as well to find root cause
hope it helps

AaronMoorcroft
Communicator

thank you, ill continue to plug away 🙂

0 Karma
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...