I am building out a report that lists all the lockouts during a given period of time. If I look at the Windows security event ID 4740 on a machine where one of the local accounts show a lock out then all I can see is that the account was locked out but there is no information in regards to what remote machine made the attempt.
If I do a secondary search around the time of the lockout I can see that there is a number of failed logins and I am able to get a Workstation Name, Source Network Address, and the logon type. This info is usually enough to let me know why it was locked out.
What I would like to do is run a main search for the lockout then when one is found run a secondary search that looks backwards on that machines logs starting from the time the event is recorded and find the last failed login event right before the lockout happened and maybe even verify if the account on the lockout event matches the account on the failed attempt then pull the Workstation Name, Source Network Address, and the logon type files from that event and append them onto the first event.
This would give me an event that might look something like this once you clean up the field names:
User Name, Target Computer, Source Computer, Source IP, logon type, Time
User Name, Target Computer, and Time come from the first search (AKA lockout search) and Source Computer, Source IP, logon type comes from the second search (AKA last failed attempt search).
Thanks but I still don't see how it would work. I see in a return you can pull a field out of a secondary search but I am still having trouble seeing how you would combine it all. Could you provide a generic search example?