Greetings. I am looking to search failed logins for a particular Active Directory group(s). I was thinking I'd have to do a subsearch based on what I've read in the forums. However, ldapsearch isn't an option due to the access I have in our managed Splunk (it's managed by a central team). So I can do a search for failed logins like so:
index=[my domain controllers index] sourcetype=XmlWinEventLog:Security EventCode=4625 user!="*$" user!="SYSTEM" (LogonType=10 OR LogonType=3)
However, I don't know how to search just a specific group name at the same time and report on just the failed logins for members of that group. Alternatively I could add the members of the group individually, but since the group membership would change that would be ineffective (I wouldn't always be aware of the changes).
Does anyone have any advice?
Hi,
You should install and app to query the ldap for the members of the group that you want to filter.
https://splunkbase.splunk.com/app/1151/#/details
Hope i help you