Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how do i search for failed login attempts and lockouts

stayready40
Engager
‎07-26-2021 07:46 AM

hello all I am fairly new to using Splunk and would like some help with searching for locked accounts and to Setup an search that checks for failed password on daily basis. I want to check for ids which are constantly appearing on daily basis for x number of times. If the pattern continues then i may  know if a hacker is trying to break into a particular id using a slow password attack.

I have been searching on event ID 4740 but returning no hits even though I have a user that has been locked out, why would this be happening?

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-26-2021 08:15 AM

Are you indexing Windows event logs?  If not, then you'll need to install a UF on your AD server and have it forward Windows Security events to Splunk. Then you should be able to search for the desired event code.  WARNING: Windows event logs can be verbose - be prepared for a lot of ingest.

If you're already indexing Windows event logs then check the settings in inputs.conf on the forwarder.

---
If this reply helps you, Karma would be appreciated.
Reply

stayready40
Engager
‎07-26-2021 09:58 AM

Thank you I am indexing windows event logs. and I am seeing lockouts now but not for a specific user that had confirmed that his account was locked out.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-26-2021 10:34 AM

Make sure you have a UF on all primary AD servers.  If you're filtering events then check that the user is not filtered unintentionally.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...