Splunk Search
Highlighted

Account Locked out without DC$

Path Finder

All domain controllers are sending the event code 644 & 4740 to windowseventlog index.

Using the search below I am able to determine the accounts locked out - As result the search provide the account name locked-out

As account name I have the DomainController$ and users name - I can't use =!DomainControler$ to display only the user name because also the users name related will be omitted -

index=wineventlog source="WinEventLog:Security" sourcetype="WinEventLog:Security" AccountName="*" EventCode=4740 OR EventCode=644 AND AccountName!=Guest AND AccountName!=Administrator AND AccountName!=Anonymous | timechart span=1h count by Account_Name

Tags (3)
0 Karma
Highlighted

Re: Account Locked out without DC$

Legend

Can you restate your question. Are you wanting to remove the domain name from the Account_Name field and keep only the user name or do you want to exclude events that have only the domain name? Also, can you share a couple of sample events

0 Karma
Highlighted

Re: Account Locked out without DC$

Path Finder

Hi, I am trying to explain myself better - In the raw data I have for a single event as Account_Name the userid and the DCx$

AccountName = DC1$ AccountName J.smith EventCode 4740
AccountName = DC1$ AccountName p.brown EventCode 4740
AccountName = DC2$ AccountName p.brown EventCode 4740

as search result using stats by Account Name

DC1$ = 2
J.smith = 1
DC2$ = 1
p.brown = 2

What I'm looking for :

j.smith = 1
p.brown = 2

Thank you in advance for the attention given

0 Karma
Highlighted

Re: Account Locked out without DC$

Builder

Try this.

index=wineventlog source="WinEventLog:Security" sourcetype="WinEventLog:Security" Account_Name="*" EventCode=4740 OR EventCode=644 AND Account_Name!=Guest AND Account_Name!=Administrator AND Account_Name!=Anonymous 
| eval Account_Name = mvindex(Account_Name,1) 
| eval Security_ID = mvindex(Security_ID,1)
| timechart span=1h count by Account_Name
0 Karma
Highlighted

Re: Account Locked out without DC$

Builder

Just because im not a fan of timechart, this one will show you where the account was locked. This assumes CallerComputerName is a valid field for you. Security_ID is redundant if you only have one domain.

index=wineventlog source="WinEventLog:Security" sourcetype="WinEventLog:Security" Account_Name="*" EventCode=4740 OR EventCode=644 AND Account_Name!=Guest AND Account_Name!=Administrator AND Account_Name!=Anonymous 
| eval Account_Name = mvindex(Account_Name,1) 
| eval Security_ID = mvindex(Security_ID,1)
|stats count(Account_Name) as COUNT by Account_Name Security_ID  Caller_Computer_Name

-JD

0 Karma
Highlighted

Re: Account Locked out without DC$

Path Finder

Both are working well - Thanks a lot

0 Karma