Hi
I need to create an alert to trigger when an account is locked out with the details of where and why account locked out. I'm trying to join the account lockout with failed activity, but I'm not getting the expected result. Any suggestion?
Search i'm using:
index=wineventlog sourcetype="WinEventLog:Security" EventCode="4740" user="*" dest_nt_domain="*" | eval src_nt_host=if(isnull(src_nt_host),host,src_nt_host) | eval lockout=if(EventCode==644 OR EventCode==4740,"Yes","No") | stats latest(_time) as time,latest(src_nt_host) as host,latest(lockout) as lockedout by dest_nt_domain,user | search lockedout="Yes" | eval ltime=strftime(time,"%c") |append [search index=wineventlog (EventCode=4625 OR EventCode=4771) host=* user=* Account_Name!=*$ | stats count by user,Source_Network_Address | sort - count | rename user to "User Name",Source_Network_Address to "IP Address",count to "Number of Failures"]|table dest_nt_domain user host lockedout ltime "IP Address" "Number of Failures"
Try this
*UPDATED*
index=wineventlog sourcetype="WinEventLog:Security" (EventCode="4740" OR EventCode==644 OR EventCode=4625 OR EventCode=4771) user="*"
| eval src_nt_host=coalesce(src_nt_host,host)
| eval lockout=if(EventCode==644 OR EventCode==4740,"Yes","No")
| stats latest(eval(if(lockout="Yes", _time, null()))) as time, latest(src_nt_host) as host, latest(lockout) as locked out values(dest_nt_domain) as dest_nt_domain count(eval(EventCode=4625 OR EventCode=4771) as count values(Source_Network_Address) as Source_Network_Address by user
| eval time=strftime(time,"%c")
| rename user to "User Name", Source_Network_Address to "IP Address", count to "Number of Failures"
| table dest_nt_domain "User Name" host lockedout time "IP Address" "Number of Failures"
Thanks for your answer! I'm getting Error "'SearchProcessor': Mismatched quotes and/or parenthesis.", I'm not sure why this error occurring, I replace == with =, still it exists. Can you resolve this one?
Line 4 needs another parenthesis after EventCode=4771 to close in the count command.
Try this
index=wineventlog sourcetype="WinEventLog:Security" (EventCode="4740" OR EventCode==644 OR EventCode=4625 OR EventCode=4771) user="*"
| eval src_nt_host=coalesce(src_nt_host,host)
| eval lockout=if(EventCode==644 OR EventCode==4740,"Yes","No")
| stats latest(eval(if(lockout="Yes"), _time, null())) as time, latest(src_nt_host) as host, latest(lockout) as locked out values(dest_nt_domain) as dest_nt_domain count(eval(EventCode=4625 OR EventCode=4771)) as count values(Source_Network_Address) as Source_Network_Address by user
| eval time=strftime(time,"%c")
| rename user to "User Name", Source_Network_Address to "IP Address", count to "Number of Failures"
| table dest_nt_domain "User Name" host lockedout time "IP Address" "Number of Failures"
Hi sundareshr,
I got this error.
Error in 'stats' command: The eval expression for dynamic field 'eval(if(lockout="Yes"), _time, null())' is invalid. Error='The operator at ', _time, null()' is invalid.'
What change i have to do it to work?
Try the updated answer