Splunk Search

How do I search a list of locked out IP addresses that are trying to access Active Directory?

thor046
New Member

Hello

The issue is that the search that I am using will not pull the IP address and list of IP addresses that are trying to access Active Directory:

sourcetype="WinEventLog:Security" msad_action="locked out" user=XXXXXX | eval Time=strftime(_time,"%m-%d-%Y %H:%M") | Table Time, src_user, user, Caller_Computer_Name | sort Time | rename src_user as Source_DC, user as Locked_Acct  

The Caller_Computer_Name is only providing server info

0 Karma

Richfez
SplunkTrust
SplunkTrust

If you run the search sourcetype="WinEventLog:Security" msad_action="locked out", do you get the IP addresses you need in the raw events returned?

If you do, add that field or fields to the rest of the search. Like, if you get the IPs in the above search and it's in a field call "Computer_IP", you'll want to add that in like so:

sourcetype="WinEventLog:Security" msad_action="locked out" user=XXXXXX 
| eval Time=strftime(_time,"%m-%d-%Y %H:%M") 
| Table Time, src_user, user, Caller_Computer_Name, Computer_IP
| ... whatever sorts and renames you want

that should do it then.

If you do NOT get the IP address when you run that search I gave at the top, you'll have to find a different root search, one that returns that data. You could create a lookup using DNS or a file, but those are a bit more advanced topics. I'd be happy to help, but I think the better solution is to see if you have that in your data already.

thor046
New Member

It does not return an ip

I did find that if i can locate the Security Id and search with that it will give me the ip list of computers that have been locked out

Account That Was Locked Out:
Security ID: S-1-5-21-448539723-1085031214-725345543-15557

0 Karma

Richfez
SplunkTrust
SplunkTrust

I have two ways this might work. First, a transaction might just be able to "connect" the two events together. I'm going to assume as an example that the two events you need will be within 5 minutes of each other (maxspan=5m). Adjust all you need to, but hopefully the events will be close (that makes it all more efficient). Still, if you need maxspan=12h, well, then, do it. 🙂

If you change your root search to something like

sourcetype="WinEventLog:Security" msad_action="locked out" user=XXXXXX 
| transaction maxspan=5m Security_ID

What do you get? If those look like they have both pieces of information in them, then you can just proceed with the rest of your search. Please see the docs on transaction for more information. You should also investigate the startswith= and endswith= parameters for transaction, too, they're very useful at making this run fast and well.

If that doesn't work ...

It might be that a join is appropriate here. You'll note that right at the top of the join page in Splunk docs there are a lot of alternate ways to do this listed. That should be a hint that this isn't particularly efficient and that maybe someone else can come up with a non-join way of doing this.

But, that being said, this probably won't be bad as long as we keep it confined as well as we can.

Without being able to see your data, I think what you'll want to do is join on Security_ID (renaming one side or of the other if required to get them to the same field name), and have your existing search above as the subsearch. Like this...

<search that returns the IP-side of things and has Security_ID in it> 
| join Security_ID [ search  sourcetype="WinEventLog:Security" msad_action="locked out" user=XXXXXX ]
| eval Time=strftime(_time,"%m-%d-%Y %H:%M") 
| Table Time, src_user, user, Caller_Computer_Name, Computer_IP
| ... whatever sorts and renames you want

There are a few things to note. First, Security_ID has to be in the subsearch and in the search, and it has to connect the two properly. If it's in there but named differently, then you could add a | rename blah_field AS Security_ID) on one side.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...