Hello
The issue is that the search that I am using will not pull the IP address and list of IP addresses that are trying to access Active Directory:
sourcetype="WinEventLog:Security" msad_action="locked out" user=XXXXXX | eval Time=strftime(_time,"%m-%d-%Y %H:%M") | Table Time, src_user, user, Caller_Computer_Name | sort Time | rename src_user as Source_DC, user as Locked_Acct
The Caller_Computer_Name
is only providing server info
If you run the search sourcetype="WinEventLog:Security" msad_action="locked out"
, do you get the IP addresses you need in the raw events returned?
If you do, add that field or fields to the rest of the search. Like, if you get the IPs in the above search and it's in a field call "Computer_IP", you'll want to add that in like so:
sourcetype="WinEventLog:Security" msad_action="locked out" user=XXXXXX
| eval Time=strftime(_time,"%m-%d-%Y %H:%M")
| Table Time, src_user, user, Caller_Computer_Name, Computer_IP
| ... whatever sorts and renames you want
that should do it then.
If you do NOT get the IP address when you run that search I gave at the top, you'll have to find a different root search, one that returns that data. You could create a lookup using DNS or a file, but those are a bit more advanced topics. I'd be happy to help, but I think the better solution is to see if you have that in your data already.
It does not return an ip
I did find that if i can locate the Security Id and search with that it will give me the ip list of computers that have been locked out
Account That Was Locked Out:
Security ID: S-1-5-21-448539723-1085031214-725345543-15557
I have two ways this might work. First, a transaction might just be able to "connect" the two events together. I'm going to assume as an example that the two events you need will be within 5 minutes of each other (maxspan=5m). Adjust all you need to, but hopefully the events will be close (that makes it all more efficient). Still, if you need maxspan=12h, well, then, do it. 🙂
If you change your root search to something like
sourcetype="WinEventLog:Security" msad_action="locked out" user=XXXXXX
| transaction maxspan=5m Security_ID
What do you get? If those look like they have both pieces of information in them, then you can just proceed with the rest of your search. Please see the docs on transaction for more information. You should also investigate the startswith=
and endswith=
parameters for transaction, too, they're very useful at making this run fast and well.
If that doesn't work ...
It might be that a join is appropriate here. You'll note that right at the top of the join page in Splunk docs there are a lot of alternate ways to do this listed. That should be a hint that this isn't particularly efficient and that maybe someone else can come up with a non-join way of doing this.
But, that being said, this probably won't be bad as long as we keep it confined as well as we can.
Without being able to see your data, I think what you'll want to do is join on Security_ID (renaming one side or of the other if required to get them to the same field name), and have your existing search above as the subsearch. Like this...
<search that returns the IP-side of things and has Security_ID in it>
| join Security_ID [ search sourcetype="WinEventLog:Security" msad_action="locked out" user=XXXXXX ]
| eval Time=strftime(_time,"%m-%d-%Y %H:%M")
| Table Time, src_user, user, Caller_Computer_Name, Computer_IP
| ... whatever sorts and renames you want
There are a few things to note. First, Security_ID has to be in the subsearch and in the search, and it has to connect the two properly. If it's in there but named differently, then you could add a | rename blah_field AS Security_ID)
on one side.