Can someone please help me with the below Query
1. Account lockouts(4740) and then go back in time one hour to find login failures(4625) for the blocked user.
2. Login failure(4625) and then go back in time 2 hour to find account lockout(4740) for the same failed login user.
SOURCE LOG BELOW :
4740 EVENT
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4740</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2021-11-18T12:40:45.252885800Z'/><EventRecordID>774430877</EventRecordID><Correlation/><Execution ProcessID='568' ThreadID='1856'/><Channel>Security</Channel><Computer>TESTDC1.TESTDOMAIN123.net</Computer><Security/></System><EventData><Data Name='TargetUserName'>TESTUSER123</Data><Data Name='TargetDomainName'>HOSTNAME123</Data><Data Name='TargetSid'>S-1-5-21-2467427501-1309223053-903455979-12974</Data><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>TESTDC1$</Data><Data Name='SubjectDomainName'>TESTDOMAIN123</Data><Data Name='SubjectLogonId'>0x3e7</Data></EventData></Event>
4625 EVENT
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4625</EventID><Version>0</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8010000000000000</Keywords><TimeCreated SystemTime='2021-11-18T12:44:43.074155100Z'/><EventRecordID>74779349</EventRecordID><Correlation ActivityID='{6527FA3B-D06B-4A13-A997-3F44717DF05B}'/><Execution ProcessID='716' ThreadID='1712'/><Channel>Security</Channel><Computer>TESTHOST123.TESTDOMAIN123.net</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NULL SID</Data><Data Name='SubjectUserName'>-</Data><Data Name='SubjectDomainName'>-</Data><Data Name='SubjectLogonId'>0x0</Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>TESTUSER123</Data><Data Name='TargetDomainName'>.</Data><Data Name='Status'>0xc000006d</Data><Data Name='FailureReason'>%%2313</Data><Data Name='SubStatus'>0xc0000064</Data><Data Name='LogonType'>3</Data><Data Name='LogonProcessName'>NtLmSsp </Data><Data Name='AuthenticationPackageName'>NTLM</Data><Data Name='WorkstationName'>TESTHOST123</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x0</Data><Data Name='ProcessName'>-</Data><Data Name='IpAddress'>172.19.19.19</Data><Data Name='IpPort'>53972</Data></EventData></Event>
You should use Windows Addon to parse events:
Splunk Add-on for Microsoft Windows | Splunkbase
Then the search is like:
index=wineventlog source=XmlWinEventLog:Security EventCode=4625
Are you looking to extract the target user name and eventid from the XML? I assume you already have the timestamps?
| spath Event.System.EventID output=eventid
| spath Event.EventData output=eventdata
| spath input=eventdata
| eval zipped=mvzip('Data{@Name}',Data,"=")
| eval zipped=mvfilter(match(zipped,"TargetUserName"))
| eval name=mvindex(split(zipped,"="),0)
| eval {name}=mvindex(split(zipped,"="),1)
| table _time eventid TargetUserName
Yes, I try to extract TargetUserName from 4740 and match it with the same TargetUserName in 4625. And Vice versa condition as well for 2nd scenario.
Sort by descending time; find the next 4740; sort by ascending time; find the prior 4740; then evaluate if an attempt is within an hour of the next lock; find the time of the previous lock (within 2 hours) for each failed attempt
| gentimes start=-1 increment=10m
| rename starttime as _time
| eval user="user".mvindex(split("ABC",""),random()%3)
| eval event=mvindex(split("4740,4625,4625,4625,4625",","),random()%5)
| sort 0 - _time
| eval time4740=if(event=4740,_time,null())
| eval time4625=if(event=4625,_time,null())
| streamstats earliest(time4740) as next4740 by user
| sort 0 _time
| streamstats latest(time4740) as prior4740 by user
| table _time event user next4740 prior4740
| eval attemptprior=if(event=4625, next4740-_time < 60*60, null())
| eval earlierlockout=if(event=4625 AND _time-prior4740 < 60*60*2, prior4740, null())
| fieldformat next4740=strftime(next4740,"%F %T")
| fieldformat earlierlockout=strftime(earlierlockout,"%F %T")
| fieldformat prior4740=strftime(prior4740,"%F %T")