Splunk Search

REQUEST FOR ACCOUNT LOCOUT AND LOGON FAILURE SEARCH QUERY

sowmiyansk
New Member

Can someone please help me with the below Query 

1. Account lockouts(4740) and then go back in time one hour to find login failures(4625) for the blocked user.

2. Login failure(4625) and then go back in time 2 hour to find account lockout(4740) for the same failed login user.  

SOURCE LOG BELOW :

4740 EVENT

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4740</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2021-11-18T12:40:45.252885800Z'/><EventRecordID>774430877</EventRecordID><Correlation/><Execution ProcessID='568' ThreadID='1856'/><Channel>Security</Channel><Computer>TESTDC1.TESTDOMAIN123.net</Computer><Security/></System><EventData><Data Name='TargetUserName'>TESTUSER123</Data><Data Name='TargetDomainName'>HOSTNAME123</Data><Data Name='TargetSid'>S-1-5-21-2467427501-1309223053-903455979-12974</Data><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>TESTDC1$</Data><Data Name='SubjectDomainName'>TESTDOMAIN123</Data><Data Name='SubjectLogonId'>0x3e7</Data></EventData></Event>

4625 EVENT

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4625</EventID><Version>0</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8010000000000000</Keywords><TimeCreated SystemTime='2021-11-18T12:44:43.074155100Z'/><EventRecordID>74779349</EventRecordID><Correlation ActivityID='{6527FA3B-D06B-4A13-A997-3F44717DF05B}'/><Execution ProcessID='716' ThreadID='1712'/><Channel>Security</Channel><Computer>TESTHOST123.TESTDOMAIN123.net</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NULL SID</Data><Data Name='SubjectUserName'>-</Data><Data Name='SubjectDomainName'>-</Data><Data Name='SubjectLogonId'>0x0</Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>TESTUSER123</Data><Data Name='TargetDomainName'>.</Data><Data Name='Status'>0xc000006d</Data><Data Name='FailureReason'>%%2313</Data><Data Name='SubStatus'>0xc0000064</Data><Data Name='LogonType'>3</Data><Data Name='LogonProcessName'>NtLmSsp </Data><Data Name='AuthenticationPackageName'>NTLM</Data><Data Name='WorkstationName'>TESTHOST123</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x0</Data><Data Name='ProcessName'>-</Data><Data Name='IpAddress'>172.19.19.19</Data><Data Name='IpPort'>53972</Data></EventData></Event>

Labels (1)
Tags (1)
0 Karma

rafadvega
Path Finder

You should use Windows Addon to parse events:

Splunk Add-on for Microsoft Windows | Splunkbase

Then the search is like:

index=wineventlog source=XmlWinEventLog:Security EventCode=4625



0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Are you looking to extract the target user  name and eventid from the XML? I assume you already have the timestamps?

| spath Event.System.EventID output=eventid
| spath Event.EventData output=eventdata
| spath input=eventdata
| eval zipped=mvzip('Data{@Name}',Data,"=")
| eval zipped=mvfilter(match(zipped,"TargetUserName"))
| eval name=mvindex(split(zipped,"="),0)
| eval {name}=mvindex(split(zipped,"="),1)
| table _time eventid TargetUserName
0 Karma

sowmiyansk
New Member

Yes, I try to extract TargetUserName from 4740 and match it with the same TargetUserName in 4625. And Vice versa condition as well for 2nd scenario.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Sort by descending time; find the next 4740; sort by ascending time; find the prior 4740; then evaluate if an attempt is within an hour of the next lock; find the time of the previous lock (within 2 hours) for each failed attempt

| gentimes start=-1 increment=10m 
| rename starttime as _time 
| eval user="user".mvindex(split("ABC",""),random()%3)
| eval event=mvindex(split("4740,4625,4625,4625,4625",","),random()%5)



| sort 0 - _time
| eval time4740=if(event=4740,_time,null())
| eval time4625=if(event=4625,_time,null())
| streamstats earliest(time4740) as next4740 by user
| sort 0 _time
| streamstats latest(time4740) as prior4740 by user
| table _time event user next4740 prior4740
| eval attemptprior=if(event=4625, next4740-_time < 60*60, null())
| eval earlierlockout=if(event=4625 AND _time-prior4740 < 60*60*2, prior4740, null())


| fieldformat next4740=strftime(next4740,"%F %T")
| fieldformat earlierlockout=strftime(earlierlockout,"%F %T")
| fieldformat prior4740=strftime(prior4740,"%F %T")
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!