Splunk Search

Failed Login to Locked out account

Explorer

I am trying to identify an event that fires when a login has been attempted to a previously locked account. I am not looking for failed logins or lockout events. I just want the failed login attempt that occurred on an account that was already locked out. Any help figuring out how to design a query for this would be great.

Labels (2)
0 Karma
1 Solution

Path Finder

Yes it would work, just modifying the query a little bit:

index=winsec EventCode=4625 user=abc | append [search EventCode=4740 user=abc] | table user, _time

View solution in original post

0 Karma

New Member

Locked out account searchform

Account Lockout Search

eventtype="windows_events" sourcetype="WinEventLog:Security" EventCode=4740 OR EventCode=4723 OR EventCode=4724 OR EventCode=4625 OR EventCode=4769 OR EventCode=4767 OR EventCode=4776 user="$user$" | eval Workstation_Name=coalesce(Workstation_Name,Source_Workstation) | table _time, src_ip, user, action, Workstation_Name, src_nt_host, name, Failure_Reason | rename name AS Description | sort user

<!-- the default is a text box, with no seed value; if user does not input
      a value, then the $from$ token in searchTemplate will be removed -->
<input type="text" token="user">
  <default>*</default>
</input>
<input type="time">
  <default>
    <earliestTime>-15m</earliestTime>
    <latestTime>now</latestTime>
  </default>
</input>


<panel>
  <table>
    <event>
      <title>Results</title>
      <option name="count">50</option>
    </event>
  </table>
</panel>


<panel>
  <chart>
    <title>Top Descriptions</title>
    <searchPostProcess>| top limit=20 Description</searchPostProcess>
    <option name="charting.chart">bar</option>
  </chart>
</panel>
<panel>
  <chart>
    <title>Top Source IP by Time</title>
    <searchPostProcess>| timechart count by src_ip limit=10</searchPostProcess>
    <option name="charting.chart">bar</option>
  </chart>
</panel>


<panel>
  <table>
    <title>Count over time</title>
    <searchPostProcess>| chart sparkline count by user</searchPostProcess>
    <format field="sparkline" type="sparkline"></format>
  </table>
</panel>
0 Karma

Path Finder

Yes it would work, just modifying the query a little bit:

index=winsec EventCode=4625 user=abc | append [search EventCode=4740 user=abc] | table user, _time

View solution in original post

0 Karma

Explorer

what does append do here?

0 Karma

Path Finder

It will append the search result of one search with another.

0 Karma

Path Finder

Hi Mihall,

If an account gets locked out, the next event coming would be either a failed logon(EventCode4625) or Kerberos pre-authentication failed(4771) event for that particular account. You can use the below query:

index=winsec EventCode=4625 OR EventCode=4771 user=abc(locked out user) | eval Time=strftime(_time,"%Y-%m-%d %H:%M:%S") | dedup user ComputerName | eval Error=coalesce(Failure_Reason, Failure_Code)| table Time user Error EventCodeDescription

Let me know if this works.
Thanks.

0 Karma

Explorer

The results produced are showing all failed logins, including events that occurred due to a failed password attempt. Is there a way to narrow this down further so that it's only showing events that came after a lockout. Thanks

0 Karma

Path Finder

The event which will occur after an account gets locked out, would be a failed login event. So if user=abc gets locked out, the next event for user=abc would be failed logon. EventCode 4625 would show you failed logon events

0 Karma

Explorer

So would the following search and subsearch find the locked out accounts and look for failed logon attempts to them?

EventCode=4625 [search EventCode=4740] | table user, _time

0 Karma