Splunk Search

Combine lockout event with last failed attempt event.

snix
Communicator

I am building out a report that lists all the lockouts during a given period of time. If I look at the Windows security event ID 4740 on a machine where one of the local accounts show a lock out then all I can see is that the account was locked out but there is no information in regards to what remote machine made the attempt.

If I do a secondary search around the time of the lockout I can see that there is a number of failed logins and I am able to get a Workstation Name, Source Network Address, and the logon type. This info is usually enough to let me know why it was locked out.

What I would like to do is run a main search for the lockout then when one is found run a secondary search that looks backwards on that machines logs starting from the time the event is recorded and find the last failed login event right before the lockout happened and maybe even verify if the account on the lockout event matches the account on the failed attempt then pull the Workstation Name, Source Network Address, and the logon type files from that event and append them onto the first event.

This would give me an event that might look something like this once you clean up the field names:
User Name, Target Computer, Source Computer, Source IP, logon type, Time

User Name, Target Computer, and Time come from the first search (AKA lockout search) and Source Computer, Source IP, logon type comes from the second search (AKA last failed attempt search).

Doable?

0 Karma

to4kawa
Ultra Champion

make earliest= and latest= from lockout time and return to main search.

0 Karma

snix
Communicator

Thanks but I still don't see how it would work. I see in a return you can pull a field out of a secondary search but I am still having trouble seeing how you would combine it all. Could you provide a generic search example?

0 Karma

to4kawa
Ultra Champion

https://qiita.com/toshikawa/items/38e57c6f2b0514db109b
sorry, all text is japanese.
please translate them.
but SPL is useful for you.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...

SplunkTrust | 2024 SplunkTrust Application Period is Open!

It's that time again, folks! That's right, the application/nomination period for the 2024 SplunkTrust is ...