My use case is that we pay a vendor to do unlocks after hours for us. I do not want to turn on the AD setting to unlock an account after x amount of time because of brute force issues.
I was looking to use the Splunk (cloud) alerts we have for when a user gets locked to trigger a powershell to unlock it. But only say 3 times before it alerts and leaves it locked.
I have looked all over but have just parts of my total. The Alerting I have nailed down. It's the action I don't.
We have Splunk Cloud and Splunk ES I am ok if the solution is another add-on.
Does anyone have a suggestion?
Thanks,
Dave