Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Account Lockouts Report for Active Directory

brookshelpdesk
Engager
‎09-20-2019 12:41 PM

Hello,

I'm running the following search that gives me accounts that get locked out and targets the specific domain controller that issues the security alert. I would like to add the time stamps when the user gets locked out:

(Current search)
index=main source=Security host= EventCode=4740
| stats count by Target_Domain Target_User_Name dvc

I tried playing around with the following search:
index=main source=Security host= EventCode=4740
| eval Account=if(Target_Account_Name!=NULL, Target_Account_Name, user)
| eval Machine=if(Caller_Machine_Name!=NULL, Caller_Machine_Name, Caller_Computer_Name)
| fillnull Value="Unknown" Machine
| eval Time=strftime(_time, "%m/%d/%y %H:%M:%S")
| dedup Time, Account
| dedup Account, Machine
| table Time, Account, Machine

(This search gives me the time stamp, the account name, but I don't see the domain controllers from this list). So, is there a way to get the domain controllers (see "current search" added to this?

Thanks in advance

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎09-20-2019 05:03 PM

add the field _time to the split by
stats trims automatically all un-declared fields
something like this

   index=main source=Security host= EventCode=4740
    | stats count by Target_Domain Target_User_Name dvc _time

there are also many answers for this use case in this portal try and search: "4740" in the little search bar on top right

hope it helps

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎09-20-2019 05:03 PM

add the field _time to the split by
stats trims automatically all un-declared fields
something like this

   index=main source=Security host= EventCode=4740
    | stats count by Target_Domain Target_User_Name dvc _time

there are also many answers for this use case in this portal try and search: "4740" in the little search bar on top right

hope it helps

0 Karma
Reply
Solved! Jump to solution

brookshelpdesk
Engager
‎09-20-2019 05:37 PM

Adonio,

Thank you very much. That gave me the info I needed and all I needed to do was add the _time....So simple :}

Thanks,
Bob

0 Karma
Reply
Solved! Jump to solution

brookshelpdesk
Engager
‎09-20-2019 05:34 PM

This was exactly what I was looking for. Just simply adding the _time gave me the info I needed (so simple).

Thank you

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...