Splunk Search

REQUEST FOR ACCOUNT LOCOUT AND LOGON FAILURE SEARCH QUERY

sowmiyansk
New Member

Can someone please help me with the below Query 

1. Account lockouts(4740) and then go back in time one hour to find login failures(4625) for the blocked user.

2. Login failure(4625) and then go back in time 2 hour to find account lockout(4740) for the same failed login user.  

SOURCE LOG BELOW :

4740 EVENT

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4740</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2021-11-18T12:40:45.252885800Z'/><EventRecordID>774430877</EventRecordID><Correlation/><Execution ProcessID='568' ThreadID='1856'/><Channel>Security</Channel><Computer>TESTDC1.TESTDOMAIN123.net</Computer><Security/></System><EventData><Data Name='TargetUserName'>TESTUSER123</Data><Data Name='TargetDomainName'>HOSTNAME123</Data><Data Name='TargetSid'>S-1-5-21-2467427501-1309223053-903455979-12974</Data><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>TESTDC1$</Data><Data Name='SubjectDomainName'>TESTDOMAIN123</Data><Data Name='SubjectLogonId'>0x3e7</Data></EventData></Event>

4625 EVENT

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4625</EventID><Version>0</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8010000000000000</Keywords><TimeCreated SystemTime='2021-11-18T12:44:43.074155100Z'/><EventRecordID>74779349</EventRecordID><Correlation ActivityID='{6527FA3B-D06B-4A13-A997-3F44717DF05B}'/><Execution ProcessID='716' ThreadID='1712'/><Channel>Security</Channel><Computer>TESTHOST123.TESTDOMAIN123.net</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NULL SID</Data><Data Name='SubjectUserName'>-</Data><Data Name='SubjectDomainName'>-</Data><Data Name='SubjectLogonId'>0x0</Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>TESTUSER123</Data><Data Name='TargetDomainName'>.</Data><Data Name='Status'>0xc000006d</Data><Data Name='FailureReason'>%%2313</Data><Data Name='SubStatus'>0xc0000064</Data><Data Name='LogonType'>3</Data><Data Name='LogonProcessName'>NtLmSsp </Data><Data Name='AuthenticationPackageName'>NTLM</Data><Data Name='WorkstationName'>TESTHOST123</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x0</Data><Data Name='ProcessName'>-</Data><Data Name='IpAddress'>172.19.19.19</Data><Data Name='IpPort'>53972</Data></EventData></Event>

Labels (1)
Tags (1)
0 Karma

rafadvega
Path Finder

You should use Windows Addon to parse events:

Splunk Add-on for Microsoft Windows | Splunkbase

Then the search is like:

index=wineventlog source=XmlWinEventLog:Security EventCode=4625



0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Are you looking to extract the target user  name and eventid from the XML? I assume you already have the timestamps?

| spath Event.System.EventID output=eventid
| spath Event.EventData output=eventdata
| spath input=eventdata
| eval zipped=mvzip('Data{@Name}',Data,"=")
| eval zipped=mvfilter(match(zipped,"TargetUserName"))
| eval name=mvindex(split(zipped,"="),0)
| eval {name}=mvindex(split(zipped,"="),1)
| table _time eventid TargetUserName
0 Karma

sowmiyansk
New Member

Yes, I try to extract TargetUserName from 4740 and match it with the same TargetUserName in 4625. And Vice versa condition as well for 2nd scenario.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Sort by descending time; find the next 4740; sort by ascending time; find the prior 4740; then evaluate if an attempt is within an hour of the next lock; find the time of the previous lock (within 2 hours) for each failed attempt

| gentimes start=-1 increment=10m 
| rename starttime as _time 
| eval user="user".mvindex(split("ABC",""),random()%3)
| eval event=mvindex(split("4740,4625,4625,4625,4625",","),random()%5)



| sort 0 - _time
| eval time4740=if(event=4740,_time,null())
| eval time4625=if(event=4625,_time,null())
| streamstats earliest(time4740) as next4740 by user
| sort 0 _time
| streamstats latest(time4740) as prior4740 by user
| table _time event user next4740 prior4740
| eval attemptprior=if(event=4625, next4740-_time < 60*60, null())
| eval earlierlockout=if(event=4625 AND _time-prior4740 < 60*60*2, prior4740, null())


| fieldformat next4740=strftime(next4740,"%F %T")
| fieldformat earlierlockout=strftime(earlierlockout,"%F %T")
| fieldformat prior4740=strftime(prior4740,"%F %T")
0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...