Looking for a search to show activity from a disabled user account.
From the event code 639 i can get the information about the disabled account. I can extract the username and need to see any login failures for the disabled account hereafter. Here the sourcetypes are same.
index= "WinEventLog:Security" | transaction src maxspan=10 startswith="EventCode=639" endswith="EventCode=531" |
Appreciate if you could help me with the search.
Most of Splunk correlation methods like transaction, join, append, subsearch, stats and lookup will work. Depends on your scenario.
Are you trying to:
1) Pull up all failed login attempts by all disabled users (stats or lookup will be better) or
2) Do you have a disabled user for whom you need to find failed login attempts (transaction will be better)?
Refer to Splunk documentation on which event correlation technique to be picked up under what scenario: https://docs.splunk.com/Documentation/Splunk/latest/Search/Abouteventcorrelation
IN order for the community yo assist you, can you provide one sample event from each of 639 and 531 Event IDs? Please make sure that you change actual name/ids and details with mock data so that we can assist you more with the correlation. Following is a sample query for guidance:
Option with lookup:
1) Create lookup file through scheduled search via outputlookup command for Disabled Account (EventCode=639) and log meaningful details like Disabled User ID, Domain, Unique ID, Date of Deactivation etc.
index="<Your_Index_Name>" sourcetype="WineventLog:Security" EventCode="639" Privileges="Disabled" CallerLogonID=* | table CallerLoginID _time <other meaningful fields> | outputlookup <your_lookup_file_or_table_name>
Schedule can be as per your requirement like hourly once or daily once.
2) Performs Stats on Failed Login Attempts (EventCode=531) to capture details on frequency, number of failed attempts, source IPs, host/s and link with the lookup table and fill in the details.
index="<Your_Index_Name>" sourcetype="WineventLog:Security" EventCode="531" CallerLogonID=* | stats count min(_time) as EarliestFailedLogin max(_time) as LatestFailedLogin values(host) as ServersAttempted by CallerLogonID | lookup <your_lookup_file_or_table_name> CallerLogonID OUTPUT _time as UserDisabledDate | where isnotnull(UserDisabledDate)
Option with stats: (I think you meant sourcetype in your question not index, as your index name might be different). Assuming CallerLoginID as the joining field and Privileges=Disabled for disabled account.
index="<Your_Index_Name>" sourcetype="WineventLog:Security" (EventCode="639" AND Privileges=Disabled)OR EventCode="531" CallerLogonID=* | stats count as eventcount min(_time) as EarliestTime max(_time) as LatestTime values(EventCode) as EventCode values(_time) as Events by CallerLogonID
For Disabled Accounts with failed login attempts you need to pipe the following
| search EventCode=639 AND EventCode=531
For All other Failed Logins
| search EventCode!=639 AND EventCode=531
Option with Transaction
index="<Your_Index_Name>" sourcetype="WineventLog:Security" EventCode="639" OR EventCode="531" CallerLogonID=* | transaction CallerLogonID startswith="EventCode=639" endswith="EventCode=531" | table CallerLogonID eventcount duration
@renjujacob88... Sure it should be possible with stats and also lookup. In case above hints do not help you come up with query(try stats first) then please add sample events for one disabled user who attempted login. You can garble/mock the sensitive data before posting the same.
You should also read the documentation on Splunk App for Windows Infrastructure which already takes care of your use case beside many... many... many... others 😉
http://docs.splunk.com/Documentation/MSApp/latest/Reference/FailedLogons --> "Failed logons by reason (for example, expired password, locked account, or disabled account.)"
need to get thel failed login attempts by all disabled users.