Hi Splunk Community,
I have, I would hope to be, a simple question.
Our company has always monitored domain account lockouts, but recently we wanted to take it a bit further, and monitor IIS logs for potential lockouts attempted to authenticate against our Exchange CAS servers.
Therefore, our main real-time search script is as such:
index!=_audit EventCode=4740 | table _time, EventCodeDescription, Account_Name, Security_ID, Account_Domain, Caller_Computer_Name, | eval _time=strftime(_time, "%H:%M:%S %m-%d-%y") | fields - _raw | rename _time AS When?, Message AS Who?_Where?
I had an idea that, instead of going through the hassle of associating fields between WinEventLog:Security and iis to figure out why someone would get locked out on our CAS server, it would be more efficient to generate a report of the past 10minutes (give or take 3minutes haven't decided on that), for sc_win32_status=1326 (bad username or password from iis).
Script below:
sourcetype="iis" sc_win32_status=1326 | eval username=lower(cs_username) | fillnull | stats count by username, cs_uri_stem, cs_User_Agent | where count>1 AND count<6 | sort by count desc
My goal would be to generate this IIS report when the Caller_Computer_Name is equal to the name of one of our CAS servers when the EventCode=4740 alert is thrown.
Is there a way to achieve this?
Thank you in advance,
Daniel
... View more