Adonio.
For point of clarification, I am following your logic regarding filtering as far back as possible, I read that someone else as well. I also understand the difference between those two event codes.
What I am seeking to understand is the WIN INF App, how they chose to craft their query versus what the community seem to recommend which is as you point out index = sourcetype = .
The results on my end, when using the index = sourcetype = method, yields thousands of failed events for one or more random users failing at one or more random servers, but not Active Directory specifically. I could open a ticket for failed login events nearly all day most days of the week. Are these false positives, app specific, and thus do not trigger the AD lockout?
The WIN INF App, appears, to be more accurate and a more efficient use of resources. I am concerned that if I stop using the recommended method index = sourcetype = , and start using, exclusively, the WIN INF App method, am I missing any legitimate failure events?
Dashboard Panel from Splunk App for Windows Infrastructure:
eventtype=msad-failed-user-logons (host="") |fields signature,src_ip,src_host,src_nt_host,src_nt_domain,user,Logon_Type,host | join max=0 host [ | search eventtype=msad-dc-health (ForestName="") (Site="") (DomainDNSName="") | dedup host | table host] | ip-to-host|stats count by user,src_nt_domain|sort -count|rename user as "Username", src_nt_domain as "Domain"
It is just confusing as to why so many people seem to have a slightly different flavor of the same search string, while the WIN INF is in a league of its own. Its as if you have 50 Ford Mustangs, everyone slightly different than the next, and then bring in a semi-truck. Whose leading whom?
Regarding the account lockouts, this was a point of comparison between using the index = sourcetype = method versus the WIN INF method for failed login events.
The index = sourcetype = method yields, at times, thousands of failed login events for a single user, however, there are no account lockouts as one would expect. x Failed Login Events = Account Lockout. The results just don't match up.
With the WIN INF method, x Failed Login Events = Account Lockout as one would expect per company policy.
Thank you for your feedback.
... View more