Splunk Enterprise Security

Is it possible to use splunk to automate account unlocking but limit it to a set number of times?

dschneider
Engager

My use case is that we pay a vendor to do unlocks after hours for us. I do not want to turn on the AD setting to unlock an account after x amount of time because of brute force issues.

I was looking to use the Splunk (cloud) alerts we have for when a user gets locked to trigger a powershell to unlock it. But only say 3 times before it alerts and leaves it locked.

I have looked all over but have just parts of my total. The Alerting I have nailed down. It's the action I don't.

We have Splunk Cloud and Splunk ES I am ok if the solution is another add-on.

Does anyone have a suggestion?

Thanks,

Dave

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...