Good afternoon everyone,
Can someone point me in the right direction to creating an alert when a windows account is lockout and there is an unlock event within 5 mins of the being locked. I have the search built for both events but I am having trouble adding in the condition of the unlock event within 5 minutes.
Any help would be appreciated. Thank you
Here is the search I built to join the two searches but this is not what I am looking for:
index=wineventlog EventCode=4767
| bin _time span=5m
| stats count by Account_Name name
| sort - count
| rename count AS "Number of Unlocks" name AS "Unlock_Description"
| join Account_Name
[ search index=wineventlog EventCode=4740
| bin _time span=5m
| stats count by Account_Name name
| sort - count
| rename count AS "Number of Lockouts" name AS "Lockout_Description"]
| table Account_Name "Unlock_Description" "Number of Lockouts" "Lockout_Description" "Number of Unlocks"
Hi @djreschke,
you could use the transaction command or the stats command,
with transaction something like this:
index=wineventlog EventCode=4767 OR EventCode=4740
| transaction host Account_Name startswith="EventCode=4767" endswith="EventCode=4740" maxspan=300s
or without transaction:
index=wineventlog EventCode=4767 OR EventCode=4740
| stats dc(EventCode) AS dcount earliest(_time) AS earliest ltest(_time) AS latest BY host Account_Name
| where dcount=2 AND latest-earliest<300
The second one is more performant.
Ciao.
Giuseppe
Hi @djreschke,
you could use the transaction command or the stats command,
with transaction something like this:
index=wineventlog EventCode=4767 OR EventCode=4740
| transaction host Account_Name startswith="EventCode=4767" endswith="EventCode=4740" maxspan=300s
or without transaction:
index=wineventlog EventCode=4767 OR EventCode=4740
| stats dc(EventCode) AS dcount earliest(_time) AS earliest ltest(_time) AS latest BY host Account_Name
| where dcount=2 AND latest-earliest<300
The second one is more performant.
Ciao.
Giuseppe
Giuseppe,
Thank for the searches, quick question, with the above searches how would I see if there where multiple lock and unlock events with the time frame?
Best,
Derek
Hi @djreschke,
if you're sure that in tha observing period there's only one lock/unlock, you could add a stats count at the end of the search.
If instead you could have more lock/unlock in the same period, you have to use transaction adding a stats count at the end
index=wineventlog EventCode=4767 OR EventCode=4740
| transaction host Account_Name startswith="EventCode=4767" endswith="EventCode=4740" maxspan=300s
| statas count BY host Account_Name
Ciao.
Giuseppe