Splunk Search

Getting Started Question: Finding failed Windows logon attempts

TylerTreat
Explorer

Ok, Great! So we just got splunk running. Now what.

I've gone out and told it to grab AD data, so I thought Hey, how do I find failed logon attempts on the network? Even better, can I set a trigger to alert me when someone fails X times and the account gets locked out?

Any takers for a rookie question?

Tags (3)
1 Solution

lukejadamec
Super Champion

You should get yourself a copy of the Windows Security Operations Center.

It will have pre-built searches and dashboards for this activity.

However, you can do what you ask without the app. To find and alert on locked accounts use the following search:

index=main sourcetype="*security*" EventCode=644 OR EventCode=4740

In the upper right select Create > Alert, give it a name and select realtime, and select Next.

Select Send Email, and enter your email address.

Select Include Results - Inline

Select Next and select your Sharing option.

Select Finish.

View solution in original post

lukejadamec
Super Champion

Don't forget to accept the answer. It lets other folks know the issue is closed.

0 Karma

lukejadamec
Super Champion

Do you have the deployment monitor app installed?
The initial data dump will be pretty large because it will collect all of the logs.

The deployment monitor > License Usage tab will show the indexing volume change over time.
Splunk support can help with license violations.

TylerTreat
Explorer

Great! This worked. Thanks!
Now we're hammering the daily limit for the free system. May have to dial it back a notch. 🙂

0 Karma

lukejadamec
Super Champion

The service account that runs splunkd on the indexer needs to be a domain account. Here is an older post that speaks to WMI:
http://answers.splunk.com/answers/3701/how-to-get-wmi-data-collection-by-providing-to-splunk-the-rem...

TylerTreat
Explorer

Will it prompt for the domain account or is it configured somewhere?

0 Karma

lukejadamec
Super Champion

You don't need to install forwarders necessarily.
Go to Manager > Data Inputs > Remote Event Log Collections and select New. This will use WMI. You will need a windows domain account.

0 Karma

TylerTreat
Explorer

yeah, so apparently i'm not completely talking to active directory until I install some forwarders. I saw "add data source" for AD or whatever on the firstrun page and did that.

Apparently its a bit more involved.

0 Karma

lukejadamec
Super Champion

You should get yourself a copy of the Windows Security Operations Center.

It will have pre-built searches and dashboards for this activity.

However, you can do what you ask without the app. To find and alert on locked accounts use the following search:

index=main sourcetype="*security*" EventCode=644 OR EventCode=4740

In the upper right select Create > Alert, give it a name and select realtime, and select Next.

Select Send Email, and enter your email address.

Select Include Results - Inline

Select Next and select your Sharing option.

Select Finish.

lukejadamec
Super Champion

I assume you have configured your smtp setting in Splunk.

0 Karma

ChrisG
Splunk Employee
Splunk Employee

You might want to take a look at the Splunk App for Active Directory, which includes a dashboard for user logon failures. If you're going to install that app, be sure to read the New to Splunk? topic in that manual.

You can set up an alert based on those saved searches; see the Splunk Alerting Manual for more information.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...