Solved: Re: Getting Started Question: Finding failed Win...

TylerTreat · ‎08-27-2013

Ok, Great! So we just got splunk running. Now what.

I've gone out and told it to grab AD data, so I thought Hey, how do I find failed logon attempts on the network? Even better, can I set a trigger to alert me when someone fails X times and the account gets locked out?

Any takers for a rookie question?

lukejadamec · ‎08-27-2013

You should get yourself a copy of the Windows Security Operations Center.

It will have pre-built searches and dashboards for this activity.

However, you can do what you ask without the app. To find and alert on locked accounts use the following search:

index=main sourcetype="*security*" EventCode=644 OR EventCode=4740

In the upper right select Create > Alert, give it a name and select realtime, and select Next.

Select Send Email, and enter your email address.

Select Include Results - Inline

Select Next and select your Sharing option.

Select Finish.

View solution in original post

lukejadamec · ‎08-28-2013

Don't forget to accept the answer. It lets other folks know the issue is closed.

lukejadamec · ‎08-28-2013

Do you have the deployment monitor app installed?
The initial data dump will be pretty large because it will collect all of the logs.

The deployment monitor > License Usage tab will show the indexing volume change over time.
Splunk support can help with license violations.

TylerTreat · ‎08-28-2013

Great! This worked. Thanks!
Now we're hammering the daily limit for the free system. May have to dial it back a notch. 🙂

lukejadamec · ‎08-27-2013

The service account that runs splunkd on the indexer needs to be a domain account. Here is an older post that speaks to WMI:
http://answers.splunk.com/answers/3701/how-to-get-wmi-data-collection-by-providing-to-splunk-the-rem...

TylerTreat · ‎08-27-2013

Will it prompt for the domain account or is it configured somewhere?

lukejadamec · ‎08-27-2013

You don't need to install forwarders necessarily.
Go to Manager > Data Inputs > Remote Event Log Collections and select New. This will use WMI. You will need a windows domain account.

TylerTreat · ‎08-27-2013

yeah, so apparently i'm not completely talking to active directory until I install some forwarders. I saw "add data source" for AD or whatever on the firstrun page and did that.

Apparently its a bit more involved.

lukejadamec · ‎08-27-2013

You should get yourself a copy of the Windows Security Operations Center.

It will have pre-built searches and dashboards for this activity.

However, you can do what you ask without the app. To find and alert on locked accounts use the following search:

index=main sourcetype="*security*" EventCode=644 OR EventCode=4740

In the upper right select Create > Alert, give it a name and select realtime, and select Next.

Select Send Email, and enter your email address.

Select Include Results - Inline

Select Next and select your Sharing option.

Select Finish.

lukejadamec · ‎08-27-2013

I assume you have configured your smtp setting in Splunk.

ChrisG · ‎08-27-2013

You might want to take a look at the Splunk App for Active Directory, which includes a dashboard for user logon failures. If you're going to install that app, be sure to read the New to Splunk? topic in that manual.

You can set up an alert based on those saved searches; see the Splunk Alerting Manual for more information.

Getting Started Question: Finding failed Windows logon attempts

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

Alerting Best Practices: How to Create Good Detectors

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...