hello all I am fairly new to using Splunk and would like some help with searching for locked accounts and to Setup an search that checks for failed password on daily basis. I want to check for ids which are constantly appearing on daily basis for x number of times. If the pattern continues then i may know if a hacker is trying to break into a particular id using a slow password attack.
I have been searching on event ID 4740 but returning no hits even though I have a user that has been locked out, why would this be happening?
Are you indexing Windows event logs? If not, then you'll need to install a UF on your AD server and have it forward Windows Security events to Splunk. Then you should be able to search for the desired event code. WARNING: Windows event logs can be verbose - be prepared for a lot of ingest.
If you're already indexing Windows event logs then check the settings in inputs.conf on the forwarder.
Thank you I am indexing windows event logs. and I am seeing lockouts now but not for a specific user that had confirmed that his account was locked out.
Make sure you have a UF on all primary AD servers. If you're filtering events then check that the user is not filtered unintentionally.