Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- REQUEST FOR ACCOUNT LOCOUT AND LOGON FAILURE SEARC...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
REQUEST FOR ACCOUNT LOCOUT AND LOGON FAILURE SEARCH QUERY
Can someone please help me with the below Query
1. Account lockouts(4740) and then go back in time one hour to find login failures(4625) for the blocked user.
2. Login failure(4625) and then go back in time 2 hour to find account lockout(4740) for the same failed login user.
SOURCE LOG BELOW :
4740 EVENT
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4740</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2021-11-18T12:40:45.252885800Z'/><EventRecordID>774430877</EventRecordID><Correlation/><Execution ProcessID='568' ThreadID='1856'/><Channel>Security</Channel><Computer>TESTDC1.TESTDOMAIN123.net</Computer><Security/></System><EventData><Data Name='TargetUserName'>TESTUSER123</Data><Data Name='TargetDomainName'>HOSTNAME123</Data><Data Name='TargetSid'>S-1-5-21-2467427501-1309223053-903455979-12974</Data><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>TESTDC1$</Data><Data Name='SubjectDomainName'>TESTDOMAIN123</Data><Data Name='SubjectLogonId'>0x3e7</Data></EventData></Event>
4625 EVENT
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4625</EventID><Version>0</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8010000000000000</Keywords><TimeCreated SystemTime='2021-11-18T12:44:43.074155100Z'/><EventRecordID>74779349</EventRecordID><Correlation ActivityID='{6527FA3B-D06B-4A13-A997-3F44717DF05B}'/><Execution ProcessID='716' ThreadID='1712'/><Channel>Security</Channel><Computer>TESTHOST123.TESTDOMAIN123.net</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NULL SID</Data><Data Name='SubjectUserName'>-</Data><Data Name='SubjectDomainName'>-</Data><Data Name='SubjectLogonId'>0x0</Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>TESTUSER123</Data><Data Name='TargetDomainName'>.</Data><Data Name='Status'>0xc000006d</Data><Data Name='FailureReason'>%%2313</Data><Data Name='SubStatus'>0xc0000064</Data><Data Name='LogonType'>3</Data><Data Name='LogonProcessName'>NtLmSsp </Data><Data Name='AuthenticationPackageName'>NTLM</Data><Data Name='WorkstationName'>TESTHOST123</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x0</Data><Data Name='ProcessName'>-</Data><Data Name='IpAddress'>172.19.19.19</Data><Data Name='IpPort'>53972</Data></EventData></Event>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should use Windows Addon to parse events:
Splunk Add-on for Microsoft Windows | Splunkbase
Then the search is like:
index=wineventlog source=XmlWinEventLog:Security EventCode=4625- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you looking to extract the target user name and eventid from the XML? I assume you already have the timestamps?
| spath Event.System.EventID output=eventid
| spath Event.EventData output=eventdata
| spath input=eventdata
| eval zipped=mvzip('Data{@Name}',Data,"=")
| eval zipped=mvfilter(match(zipped,"TargetUserName"))
| eval name=mvindex(split(zipped,"="),0)
| eval {name}=mvindex(split(zipped,"="),1)
| table _time eventid TargetUserName- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I try to extract TargetUserName from 4740 and match it with the same TargetUserName in 4625. And Vice versa condition as well for 2nd scenario.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sort by descending time; find the next 4740; sort by ascending time; find the prior 4740; then evaluate if an attempt is within an hour of the next lock; find the time of the previous lock (within 2 hours) for each failed attempt
| gentimes start=-1 increment=10m
| rename starttime as _time
| eval user="user".mvindex(split("ABC",""),random()%3)
| eval event=mvindex(split("4740,4625,4625,4625,4625",","),random()%5)
| sort 0 - _time
| eval time4740=if(event=4740,_time,null())
| eval time4625=if(event=4625,_time,null())
| streamstats earliest(time4740) as next4740 by user
| sort 0 _time
| streamstats latest(time4740) as prior4740 by user
| table _time event user next4740 prior4740
| eval attemptprior=if(event=4625, next4740-_time < 60*60, null())
| eval earlierlockout=if(event=4625 AND _time-prior4740 < 60*60*2, prior4740, null())
| fieldformat next4740=strftime(next4740,"%F %T")
| fieldformat earlierlockout=strftime(earlierlockout,"%F %T")
| fieldformat prior4740=strftime(prior4740,"%F %T")
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
