Splunk Search

How to edit my search to trigger when an account is locked out, including details of where and why it happened?

kiran331
Builder

Hi

I need to create an alert to trigger when an account is locked out with the details of where and why account locked out. I'm trying to join the account lockout with failed activity, but I'm not getting the expected result. Any suggestion?

Search i'm using:

index=wineventlog sourcetype="WinEventLog:Security" EventCode="4740" user="*" dest_nt_domain="*" | eval src_nt_host=if(isnull(src_nt_host),host,src_nt_host) | eval lockout=if(EventCode==644 OR EventCode==4740,"Yes","No") | stats latest(_time) as time,latest(src_nt_host) as host,latest(lockout) as lockedout by dest_nt_domain,user | search lockedout="Yes" | eval ltime=strftime(time,"%c") |append [search index=wineventlog (EventCode=4625 OR EventCode=4771) host=* user=*  Account_Name!=*$  | stats count by user,Source_Network_Address | sort - count | rename user to "User Name",Source_Network_Address to "IP Address",count to "Number of Failures"]|table dest_nt_domain user host lockedout ltime "IP Address" "Number of Failures"
0 Karma

sundareshr
Legend

Try this

*UPDATED*

     index=wineventlog sourcetype="WinEventLog:Security" (EventCode="4740" OR EventCode==644 OR EventCode=4625 OR EventCode=4771) user="*"  
    | eval src_nt_host=coalesce(src_nt_host,host)
    | eval lockout=if(EventCode==644 OR EventCode==4740,"Yes","No") 
    | stats latest(eval(if(lockout="Yes", _time, null()))) as time, latest(src_nt_host) as host, latest(lockout) as locked out values(dest_nt_domain) as dest_nt_domain count(eval(EventCode=4625 OR EventCode=4771) as count values(Source_Network_Address) as Source_Network_Address by user 
    | eval time=strftime(time,"%c") 
    | rename user to "User Name", Source_Network_Address to "IP Address", count to "Number of Failures"
    | table dest_nt_domain "User Name" host lockedout time "IP Address" "Number of Failures"
0 Karma

kiran331
Builder

Thanks for your answer! I'm getting Error "'SearchProcessor': Mismatched quotes and/or parenthesis.", I'm not sure why this error occurring, I replace == with =, still it exists. Can you resolve this one?

0 Karma

andsmith2
Explorer

Line 4 needs another parenthesis after EventCode=4771 to close in the count command.

0 Karma

sundareshr
Legend

Try this

index=wineventlog sourcetype="WinEventLog:Security" (EventCode="4740" OR EventCode==644 OR EventCode=4625 OR EventCode=4771) user="*"  
 | eval src_nt_host=coalesce(src_nt_host,host)
 | eval lockout=if(EventCode==644 OR EventCode==4740,"Yes","No") 
 | stats latest(eval(if(lockout="Yes"), _time, null())) as time, latest(src_nt_host) as host, latest(lockout) as locked out values(dest_nt_domain) as dest_nt_domain count(eval(EventCode=4625 OR EventCode=4771)) as count values(Source_Network_Address) as Source_Network_Address by user 
 | eval time=strftime(time,"%c") 
 | rename user to "User Name", Source_Network_Address to "IP Address", count to "Number of Failures"
 | table dest_nt_domain "User Name" host lockedout time "IP Address" "Number of Failures"
0 Karma

kiran331
Builder

Hi sundareshr,

I got this error.

Error in 'stats' command: The eval expression for dynamic field 'eval(if(lockout="Yes"), _time, null())' is invalid. Error='The operator at ', _time, null()' is invalid.' 

What change i have to do it to work?

0 Karma

sundareshr
Legend

Try the updated answer

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...