Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to edit my search to trigger when an account i...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to edit my search to trigger when an account is locked out, including details of where and why it happened?
kiran331
Builder
08-30-2016
08:39 AM
Hi
I need to create an alert to trigger when an account is locked out with the details of where and why account locked out. I'm trying to join the account lockout with failed activity, but I'm not getting the expected result. Any suggestion?
Search i'm using:
index=wineventlog sourcetype="WinEventLog:Security" EventCode="4740" user="*" dest_nt_domain="*" | eval src_nt_host=if(isnull(src_nt_host),host,src_nt_host) | eval lockout=if(EventCode==644 OR EventCode==4740,"Yes","No") | stats latest(_time) as time,latest(src_nt_host) as host,latest(lockout) as lockedout by dest_nt_domain,user | search lockedout="Yes" | eval ltime=strftime(time,"%c") |append [search index=wineventlog (EventCode=4625 OR EventCode=4771) host=* user=* Account_Name!=*$ | stats count by user,Source_Network_Address | sort - count | rename user to "User Name",Source_Network_Address to "IP Address",count to "Number of Failures"]|table dest_nt_domain user host lockedout ltime "IP Address" "Number of Failures"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
08-30-2016
11:47 AM
Try this
*UPDATED*
index=wineventlog sourcetype="WinEventLog:Security" (EventCode="4740" OR EventCode==644 OR EventCode=4625 OR EventCode=4771) user="*"
| eval src_nt_host=coalesce(src_nt_host,host)
| eval lockout=if(EventCode==644 OR EventCode==4740,"Yes","No")
| stats latest(eval(if(lockout="Yes", _time, null()))) as time, latest(src_nt_host) as host, latest(lockout) as locked out values(dest_nt_domain) as dest_nt_domain count(eval(EventCode=4625 OR EventCode=4771) as count values(Source_Network_Address) as Source_Network_Address by user
| eval time=strftime(time,"%c")
| rename user to "User Name", Source_Network_Address to "IP Address", count to "Number of Failures"
| table dest_nt_domain "User Name" host lockedout time "IP Address" "Number of Failures"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kiran331
Builder
08-30-2016
12:23 PM
Thanks for your answer! I'm getting Error "'SearchProcessor': Mismatched quotes and/or parenthesis.", I'm not sure why this error occurring, I replace == with =, still it exists. Can you resolve this one?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
andsmith2
Explorer
10-23-2017
08:46 AM
Line 4 needs another parenthesis after EventCode=4771 to close in the count command.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
08-30-2016
12:26 PM
Try this
index=wineventlog sourcetype="WinEventLog:Security" (EventCode="4740" OR EventCode==644 OR EventCode=4625 OR EventCode=4771) user="*"
| eval src_nt_host=coalesce(src_nt_host,host)
| eval lockout=if(EventCode==644 OR EventCode==4740,"Yes","No")
| stats latest(eval(if(lockout="Yes"), _time, null())) as time, latest(src_nt_host) as host, latest(lockout) as locked out values(dest_nt_domain) as dest_nt_domain count(eval(EventCode=4625 OR EventCode=4771)) as count values(Source_Network_Address) as Source_Network_Address by user
| eval time=strftime(time,"%c")
| rename user to "User Name", Source_Network_Address to "IP Address", count to "Number of Failures"
| table dest_nt_domain "User Name" host lockedout time "IP Address" "Number of Failures"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kiran331
Builder
08-30-2016
02:04 PM
Hi sundareshr,
I got this error.
Error in 'stats' command: The eval expression for dynamic field 'eval(if(lockout="Yes"), _time, null())' is invalid. Error='The operator at ', _time, null()' is invalid.'
What change i have to do it to work?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
09-12-2016
04:41 PM
Try the updated answer
Get Updates on the Splunk Community!
Welcome to the Splunk Community!
(view in My Videos)
We're so glad you're here!
The Splunk Community is place to connect, learn, give back, and ...
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...
Adoption of RUM and APM at Splunk
Unleash the power of Splunk Observability
Watch Now
In this can't miss Tech Talk! The Splunk Growth ...
