Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Account Lockouts Report for Active Directory

brookshelpdesk
Engager
‎09-20-2019 12:41 PM

Hello,

I'm running the following search that gives me accounts that get locked out and targets the specific domain controller that issues the security alert. I would like to add the time stamps when the user gets locked out:

(Current search)
index=main source=Security host= EventCode=4740
| stats count by Target_Domain Target_User_Name dvc

I tried playing around with the following search:
index=main source=Security host= EventCode=4740
| eval Account=if(Target_Account_Name!=NULL, Target_Account_Name, user)
| eval Machine=if(Caller_Machine_Name!=NULL, Caller_Machine_Name, Caller_Computer_Name)
| fillnull Value="Unknown" Machine
| eval Time=strftime(_time, "%m/%d/%y %H:%M:%S")
| dedup Time, Account
| dedup Account, Machine
| table Time, Account, Machine

(This search gives me the time stamp, the account name, but I don't see the domain controllers from this list). So, is there a way to get the domain controllers (see "current search" added to this?

Thanks in advance

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎09-20-2019 05:03 PM

add the field _time to the split by
stats trims automatically all un-declared fields
something like this

   index=main source=Security host= EventCode=4740
    | stats count by Target_Domain Target_User_Name dvc _time

there are also many answers for this use case in this portal try and search: "4740" in the little search bar on top right

hope it helps

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎09-20-2019 05:03 PM

add the field _time to the split by
stats trims automatically all un-declared fields
something like this

   index=main source=Security host= EventCode=4740
    | stats count by Target_Domain Target_User_Name dvc _time

there are also many answers for this use case in this portal try and search: "4740" in the little search bar on top right

hope it helps

0 Karma
Reply
Solved! Jump to solution

brookshelpdesk
Engager
‎09-20-2019 05:37 PM

Adonio,

Thank you very much. That gave me the info I needed and all I needed to do was add the _time....So simple :}

Thanks,
Bob

0 Karma
Reply
Solved! Jump to solution

brookshelpdesk
Engager
‎09-20-2019 05:34 PM

This was exactly what I was looking for. Just simply adding the _time gave me the info I needed (so simple).

Thank you

0 Karma
Reply
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...