Solved: How can I use iplocation to include the IP in my a...

Gayathirik · ‎08-03-2016

I have a search to alert on account lockouts:

index=winsec EventCodeDescription="A user account was locked out"|dedup user| stats count as total by _time host user

I need to get the "IP" as well when the account is locked out. Could you please help me on getting the IP address of the system along with this event alert search?

Regards,
Gayathiri K

hliakathali_spl · ‎08-03-2016

You would have to use some DNSlookup type of things to get IP address from host name. And you can use clientip, src_ip, dns_ip, server_ip..Etc according to your Splunk naming conversion you have to use the search strings. See the props.conf file for host and ip

Try to use this query,

index=_audit action="login attempt" info="succeeded"| head 20 | iplocation clientip | table clientip, user, _time

View solution in original post

sundareshr · ‎08-03-2016

Try this

index=winsec EventCodeDescription="A user account was locked out"| stats count as total by _time host user Source_Network_Address

Gayathirik · ‎08-04-2016

This is not working..Could you please tell me some other possible way to find it out?

hliakathali_spl · ‎08-03-2016

You would have to use some DNSlookup type of things to get IP address from host name. And you can use clientip, src_ip, dns_ip, server_ip..Etc according to your Splunk naming conversion you have to use the search strings. See the props.conf file for host and ip

Try to use this query,

index=_audit action="login attempt" info="succeeded"| head 20 | iplocation clientip | table clientip, user, _time

Gayathirik · ‎08-04-2016

Excellent Harish!!! This really works!!!!

How can I use iplocation to include the IP in my alert search results for account lockouts?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...