Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Account Lockouts Report for Active Directory

brookshelpdesk
Engager
‎09-20-2019 12:41 PM

Hello,

I'm running the following search that gives me accounts that get locked out and targets the specific domain controller that issues the security alert. I would like to add the time stamps when the user gets locked out:

(Current search)
index=main source=Security host= EventCode=4740
| stats count by Target_Domain Target_User_Name dvc

I tried playing around with the following search:
index=main source=Security host= EventCode=4740
| eval Account=if(Target_Account_Name!=NULL, Target_Account_Name, user)
| eval Machine=if(Caller_Machine_Name!=NULL, Caller_Machine_Name, Caller_Computer_Name)
| fillnull Value="Unknown" Machine
| eval Time=strftime(_time, "%m/%d/%y %H:%M:%S")
| dedup Time, Account
| dedup Account, Machine
| table Time, Account, Machine

(This search gives me the time stamp, the account name, but I don't see the domain controllers from this list). So, is there a way to get the domain controllers (see "current search" added to this?

Thanks in advance

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎09-20-2019 05:03 PM

add the field _time to the split by
stats trims automatically all un-declared fields
something like this

   index=main source=Security host= EventCode=4740
    | stats count by Target_Domain Target_User_Name dvc _time

there are also many answers for this use case in this portal try and search: "4740" in the little search bar on top right

hope it helps

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎09-20-2019 05:03 PM

add the field _time to the split by
stats trims automatically all un-declared fields
something like this

   index=main source=Security host= EventCode=4740
    | stats count by Target_Domain Target_User_Name dvc _time

there are also many answers for this use case in this portal try and search: "4740" in the little search bar on top right

hope it helps

0 Karma
Reply
Solved! Jump to solution

brookshelpdesk
Engager
‎09-20-2019 05:37 PM

Adonio,

Thank you very much. That gave me the info I needed and all I needed to do was add the _time....So simple :}

Thanks,
Bob

0 Karma
Reply
Solved! Jump to solution

brookshelpdesk
Engager
‎09-20-2019 05:34 PM

This was exactly what I was looking for. Just simply adding the _time gave me the info I needed (so simple).

Thank you

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

[REGISTER HERE] This thread is for the Community Office Hours session on Detection Engineering Office Hours: ...