Splunk Search

Account Lockouts Report for Active Directory

brookshelpdesk
Engager

Hello,

I'm running the following search that gives me accounts that get locked out and targets the specific domain controller that issues the security alert. I would like to add the time stamps when the user gets locked out:

(Current search)
index=main source=Security host= EventCode=4740
| stats count by Target_Domain Target_User_Name dvc

I tried playing around with the following search:
index=main source=Security host= EventCode=4740
| eval Account=if(Target_Account_Name!=NULL, Target_Account_Name, user)
| eval Machine=if(Caller_Machine_Name!=NULL, Caller_Machine_Name, Caller_Computer_Name)
| fillnull Value="Unknown" Machine
| eval Time=strftime(_time, "%m/%d/%y %H:%M:%S")
| dedup Time, Account
| dedup Account, Machine
| table Time, Account, Machine

(This search gives me the time stamp, the account name, but I don't see the domain controllers from this list). So, is there a way to get the domain controllers (see "current search" added to this?

Thanks in advance

Tags (2)
0 Karma
1 Solution

adonio
Ultra Champion

add the field _time to the split by
stats trims automatically all un-declared fields
something like this

   index=main source=Security host= EventCode=4740
    | stats count by Target_Domain Target_User_Name dvc _time

there are also many answers for this use case in this portal try and search: "4740" in the little search bar on top right

hope it helps

View solution in original post

0 Karma

adonio
Ultra Champion

add the field _time to the split by
stats trims automatically all un-declared fields
something like this

   index=main source=Security host= EventCode=4740
    | stats count by Target_Domain Target_User_Name dvc _time

there are also many answers for this use case in this portal try and search: "4740" in the little search bar on top right

hope it helps

0 Karma

brookshelpdesk
Engager

Adonio,

Thank you very much. That gave me the info I needed and all I needed to do was add the _time....So simple :}

Thanks,
Bob

0 Karma

brookshelpdesk
Engager

This was exactly what I was looking for. Just simply adding the _time gave me the info I needed (so simple).

Thank you

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...