Splunk Search

Failed Login to Locked out account

Path Finder

I am trying to identify an event that fires when a login has been attempted to a previously locked account. I am not looking for failed logins or lockout events. I just want the failed login attempt that occurred on an account that was already locked out. Any help figuring out how to design a query for this would be great.

Labels (2)
1 Solution

Path Finder

Yes it would work, just modifying the query a little bit:

index=winsec EventCode=4625 user=abc | append [search EventCode=4740 user=abc] | table user, _time

View solution in original post

Engager

Locked out account searchform

Account Lockout Search

eventtype="windows_events" sourcetype="WinEventLog:Security" EventCode=4740 OR EventCode=4723 OR EventCode=4724 OR EventCode=4625 OR EventCode=4769 OR EventCode=4767 OR EventCode=4776 user="$user$" | eval Workstation_Name=coalesce(Workstation_Name,Source_Workstation) | table _time, src_ip, user, action, Workstation_Name, src_nt_host, name, Failure_Reason | rename name AS Description | sort user

<!-- the default is a text box, with no seed value; if user does not input
      a value, then the $from$ token in searchTemplate will be removed -->
<input type="text" token="user">
  <default>*</default>
</input>
<input type="time">
  <default>
    <earliestTime>-15m</earliestTime>
    <latestTime>now</latestTime>
  </default>
</input>


<panel>
  <table>
    <event>
      <title>Results</title>
      <option name="count">50</option>
    </event>
  </table>
</panel>


<panel>
  <chart>
    <title>Top Descriptions</title>
    <searchPostProcess>| top limit=20 Description</searchPostProcess>
    <option name="charting.chart">bar</option>
  </chart>
</panel>
<panel>
  <chart>
    <title>Top Source IP by Time</title>
    <searchPostProcess>| timechart count by src_ip limit=10</searchPostProcess>
    <option name="charting.chart">bar</option>
  </chart>
</panel>


<panel>
  <table>
    <title>Count over time</title>
    <searchPostProcess>| chart sparkline count by user</searchPostProcess>
    <format field="sparkline" type="sparkline"></format>
  </table>
</panel>

Path Finder

Yes it would work, just modifying the query a little bit:

index=winsec EventCode=4625 user=abc | append [search EventCode=4740 user=abc] | table user, _time

View solution in original post

Path Finder

what does append do here?

0 Karma

Path Finder

It will append the search result of one search with another.

0 Karma

Path Finder

Hi Mihall,

If an account gets locked out, the next event coming would be either a failed logon(EventCode4625) or Kerberos pre-authentication failed(4771) event for that particular account. You can use the below query:

index=winsec EventCode=4625 OR EventCode=4771 user=abc(locked out user) | eval Time=strftime(_time,"%Y-%m-%d %H:%M:%S") | dedup user ComputerName | eval Error=coalesce(Failure_Reason, Failure_Code)| table Time user Error EventCodeDescription

Let me know if this works.
Thanks.

Path Finder

The results produced are showing all failed logins, including events that occurred due to a failed password attempt. Is there a way to narrow this down further so that it's only showing events that came after a lockout. Thanks

0 Karma

Path Finder

The event which will occur after an account gets locked out, would be a failed login event. So if user=abc gets locked out, the next event for user=abc would be failed logon. EventCode 4625 would show you failed logon events

0 Karma

Path Finder

So would the following search and subsearch find the locked out accounts and look for failed logon attempts to them?

EventCode=4625 [search EventCode=4740] | table user, _time

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!