Splunk Search

How to create an alert for lockouts in Windows event logs with details of failed activity in the last hour by src_ip?

kranthi851
New Member

Hi

How to create an alert for lockouts in Windows Event Logs with the details of failed activity in last hour by src_ip's?

0 Karma
1 Solution

alemarzu
Motivator

Hi @kranthi851

Try this out.

earliest=-1h@h latest=@h index=wineventlog sourcetype=WinEventLog:Security EventCode="4740"
| eval Account=mvindex(Account_Name, 1) 
| stats count, latest(_time) AS lastBlock by Account
| eval modtime=lastBlock - 3600 | fields - count
| map maxsearches=100 search="search index=wineventlog sourcetype=WinEventLog:Security EventCode="4625" earliest=$modtime$ latest=$lastBlock$ Account_Name=$Account$"
| eval Account=mvindex(Account_Name, 1) 
| regex Account!="\\$"
| stats count, latest(_time) AS lastFailure, values(Failure_Reason) AS failureReason by Account src_ip | convert ctime(lastFailure) | rename Account AS "Blocked Account", count AS LoginFailures

This will search for account blocks and then go back in time one hour to find login failures for the blocked user.

Hope it helps.

EDIT: Query updated.

View solution in original post

alemarzu
Motivator

Hi @kranthi851

Try this out.

earliest=-1h@h latest=@h index=wineventlog sourcetype=WinEventLog:Security EventCode="4740"
| eval Account=mvindex(Account_Name, 1) 
| stats count, latest(_time) AS lastBlock by Account
| eval modtime=lastBlock - 3600 | fields - count
| map maxsearches=100 search="search index=wineventlog sourcetype=WinEventLog:Security EventCode="4625" earliest=$modtime$ latest=$lastBlock$ Account_Name=$Account$"
| eval Account=mvindex(Account_Name, 1) 
| regex Account!="\\$"
| stats count, latest(_time) AS lastFailure, values(Failure_Reason) AS failureReason by Account src_ip | convert ctime(lastFailure) | rename Account AS "Blocked Account", count AS LoginFailures

This will search for account blocks and then go back in time one hour to find login failures for the blocked user.

Hope it helps.

EDIT: Query updated.

kranthi851
New Member

Hi alemarzu, I tried this one and it din't show the results.

0 Karma

alemarzu
Motivator

Sorry about that. Tested on lab and fixed.

0 Karma

kranthi851
New Member

Hi Alemarzu, Its showing the results, but when i change the Query with (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771 OR EventCode=4776) Keywords="Audit Failure")), its not working. is it possible to get the failed events by eventcode and src_ip?

0 Karma

alemarzu
Motivator

Besides the changes you want to do now, the query worked out? If not, we have to start over.

Is not working with the eventcodes(4768,4771,4776) that you try to add for two main reasons:
- They have a completly different event structure.
- The query I've posted was made for those events only.

So please, let me know what you have in mind now so I can help you.

0 Karma

kranthi851
New Member

Yes, The Query Worked. Thanks! I want to add other failure event codes as some account lockouts occurring of those event codes.

0 Karma

alemarzu
Motivator

Okey then, give this a try, I don't have data to test it right now but let me know if it's not working aight ?

earliest=-1h@h latest=@h index=wineventlog sourcetype=WinEventLog:Security EventCode="4740" 
| eval Account=mvindex(Account_Name, 1)
| stats count, latest(_time) AS lastBlock by Account
| eval modtime=lastBlock - 3600 
| fields - count
| map maxsearches=100 search="search index=wineventlog sourcetype=WinEventLog:Security (EventCode="4625" OR EventCode="4768" OR EventCode="4771" OR EventCode="4776") earliest=$modtime$ latest=$lastBlock$ Account_Name=$Account$"
| eval Account=case(EventCode="4740" OR EventCode="4625", mvindex(Account_Name, 1), EventCode="4768" OR EventCode="4771", Account_Name, EventCode="4776", Logon_Account, 1=1, "Click-on-me")
| regex Account!="\\$"
| eval errorMessages=case(EventCode="4768", (EventCode."; ".Result_Code), EventCode="4771", (EventCode."; ".Failure_Code), EventCode="4776", (EventCode."; ".Error_Code), 1=1, "Click-on-me")
| stats count, latest(_time) AS lastFailure, values(Failure_Reason) AS failureReason, values(errorMessages) AS otherFailures by Account src_ip 
| convert ctime(lastFailure) 
| rename Account AS "Blocked Account", count AS LoginFailures

Should be same as before but this one has a new field called "otherFailures", that will hold the other types of failures that you have mentioned. It is a concatenated field holding the EventCode and Resulting Code.

edit: tested and working

sowmiyansk
New Member

Please help me with the below Query 

1. Account lockouts(4740) and then go back in time one hour to find login failures(4625) for the blocked user.

2. Login failure(4625) and then go back in time 2 hour to find account lockout(4740) for the same failed login user.

SOURCE LOG BELOW :

4740 EVENT

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4740</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2021-11-18T12:40:45.252885800Z'/><EventRecordID>774430877</EventRecordID><Correlation/><Execution ProcessID='568' ThreadID='1856'/><Channel>Security</Channel><Computer>TESTDC1.TESTDOMAIN123.net</Computer><Security/></System><EventData><Data Name='TargetUserName'>TESTUSER123</Data><Data Name='TargetDomainName'>HOSTNAME123</Data><Data Name='TargetSid'>S-1-5-21-2467427501-1309223053-903455979-12974</Data><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>TESTDC1$</Data><Data Name='SubjectDomainName'>TESTDOMAIN123</Data><Data Name='SubjectLogonId'>0x3e7</Data></EventData></Event>

4625 EVENT

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4625</EventID><Version>0</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8010000000000000</Keywords><TimeCreated SystemTime='2021-11-18T12:44:43.074155100Z'/><EventRecordID>74779349</EventRecordID><Correlation ActivityID='{6527FA3B-D06B-4A13-A997-3F44717DF05B}'/><Execution ProcessID='716' ThreadID='1712'/><Channel>Security</Channel><Computer>TESTHOST123.TESTDOMAIN123.net</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NULL SID</Data><Data Name='SubjectUserName'>-</Data><Data Name='SubjectDomainName'>-</Data><Data Name='SubjectLogonId'>0x0</Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>TESTUSER123</Data><Data Name='TargetDomainName'>.</Data><Data Name='Status'>0xc000006d</Data><Data Name='FailureReason'>%%2313</Data><Data Name='SubStatus'>0xc0000064</Data><Data Name='LogonType'>3</Data><Data Name='LogonProcessName'>NtLmSsp </Data><Data Name='AuthenticationPackageName'>NTLM</Data><Data Name='WorkstationName'>TESTHOST123</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x0</Data><Data Name='ProcessName'>-</Data><Data Name='IpAddress'>172.19.19.19</Data><Data Name='IpPort'>53972</Data></EventData></Event>

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...