Splunk Search

How to edit my search to trigger when an account is locked out, including details of where and why it happened?

Builder

Hi

I need to create an alert to trigger when an account is locked out with the details of where and why account locked out. I'm trying to join the account lockout with failed activity, but I'm not getting the expected result. Any suggestion?

Search i'm using:

index=wineventlog sourcetype="WinEventLog:Security" EventCode="4740" user="*" dest_nt_domain="*" | eval src_nt_host=if(isnull(src_nt_host),host,src_nt_host) | eval lockout=if(EventCode==644 OR EventCode==4740,"Yes","No") | stats latest(_time) as time,latest(src_nt_host) as host,latest(lockout) as lockedout by dest_nt_domain,user | search lockedout="Yes" | eval ltime=strftime(time,"%c") |append [search index=wineventlog (EventCode=4625 OR EventCode=4771) host=* user=*  Account_Name!=*$  | stats count by user,Source_Network_Address | sort - count | rename user to "User Name",Source_Network_Address to "IP Address",count to "Number of Failures"]|table dest_nt_domain user host lockedout ltime "IP Address" "Number of Failures"
0 Karma

Legend

Try this

*UPDATED*

     index=wineventlog sourcetype="WinEventLog:Security" (EventCode="4740" OR EventCode==644 OR EventCode=4625 OR EventCode=4771) user="*"  
    | eval src_nt_host=coalesce(src_nt_host,host)
    | eval lockout=if(EventCode==644 OR EventCode==4740,"Yes","No") 
    | stats latest(eval(if(lockout="Yes", _time, null()))) as time, latest(src_nt_host) as host, latest(lockout) as locked out values(dest_nt_domain) as dest_nt_domain count(eval(EventCode=4625 OR EventCode=4771) as count values(Source_Network_Address) as Source_Network_Address by user 
    | eval time=strftime(time,"%c") 
    | rename user to "User Name", Source_Network_Address to "IP Address", count to "Number of Failures"
    | table dest_nt_domain "User Name" host lockedout time "IP Address" "Number of Failures"
0 Karma

Builder

Thanks for your answer! I'm getting Error "'SearchProcessor': Mismatched quotes and/or parenthesis.", I'm not sure why this error occurring, I replace == with =, still it exists. Can you resolve this one?

0 Karma

Explorer

Line 4 needs another parenthesis after EventCode=4771 to close in the count command.

0 Karma

Legend

Try this

index=wineventlog sourcetype="WinEventLog:Security" (EventCode="4740" OR EventCode==644 OR EventCode=4625 OR EventCode=4771) user="*"  
 | eval src_nt_host=coalesce(src_nt_host,host)
 | eval lockout=if(EventCode==644 OR EventCode==4740,"Yes","No") 
 | stats latest(eval(if(lockout="Yes"), _time, null())) as time, latest(src_nt_host) as host, latest(lockout) as locked out values(dest_nt_domain) as dest_nt_domain count(eval(EventCode=4625 OR EventCode=4771)) as count values(Source_Network_Address) as Source_Network_Address by user 
 | eval time=strftime(time,"%c") 
 | rename user to "User Name", Source_Network_Address to "IP Address", count to "Number of Failures"
 | table dest_nt_domain "User Name" host lockedout time "IP Address" "Number of Failures"
0 Karma

Builder

Hi sundareshr,

I got this error.

Error in 'stats' command: The eval expression for dynamic field 'eval(if(lockout="Yes"), _time, null())' is invalid. Error='The operator at ', _time, null()' is invalid.' 

What change i have to do it to work?

0 Karma

Legend

Try the updated answer

0 Karma