Splunk Enterprise Security

how do i search for failed login attempts and lockouts

stayready40
Engager

hello all I am fairly new to using Splunk and would like some help with searching for locked accounts and to Setup an search that checks for failed password on daily basis. I want to check for ids which are constantly appearing on daily basis for x number of times. If the pattern continues then i may  know if a hacker is trying to break into a particular id using a slow password attack.

I have been searching on event ID 4740 but returning no hits even though I have a user that has been locked out, why would this be happening?

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Are you indexing Windows event logs?  If not, then you'll need to install a UF on your AD server and have it forward Windows Security events to Splunk. Then you should be able to search for the desired event code.  WARNING: Windows event logs can be verbose - be prepared for a lot of ingest.

If you're already indexing Windows event logs then check the settings in inputs.conf on the forwarder.

---
If this reply helps you, an upvote would be appreciated.

stayready40
Engager

Thank you I am indexing windows event logs. and I am seeing lockouts now but not for a specific user that had confirmed that his account was locked out.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Make sure you have a UF on all primary AD servers.  If you're filtering events then check that the user is not filtered unintentionally.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>