Re: how do i search for failed login attempts and ...

stayready40 · ‎07-26-2021

hello all I am fairly new to using Splunk and would like some help with searching for locked accounts and to Setup an search that checks for failed password on daily basis. I want to check for ids which are constantly appearing on daily basis for x number of times. If the pattern continues then i may know if a hacker is trying to break into a particular id using a slow password attack.

I have been searching on event ID 4740 but returning no hits even though I have a user that has been locked out, why would this be happening?

richgalloway · ‎07-26-2021

Are you indexing Windows event logs? If not, then you'll need to install a UF on your AD server and have it forward Windows Security events to Splunk. Then you should be able to search for the desired event code. WARNING: Windows event logs can be verbose - be prepared for a lot of ingest.

If you're already indexing Windows event logs then check the settings in inputs.conf on the forwarder.

---
If this reply helps you, Karma would be appreciated.

stayready40 · ‎07-26-2021

Thank you I am indexing windows event logs. and I am seeing lockouts now but not for a specific user that had confirmed that his account was locked out.

richgalloway · ‎07-26-2021

Make sure you have a UF on all primary AD servers. If you're filtering events then check that the user is not filtered unintentionally.

---
If this reply helps you, Karma would be appreciated.

how do i search for failed login attempts and lockouts

incident review

investigation

using Enterprise Security

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life