How to edit my search to trigger when an account i...

kiran331 · ‎08-30-2016

Hi

I need to create an alert to trigger when an account is locked out with the details of where and why account locked out. I'm trying to join the account lockout with failed activity, but I'm not getting the expected result. Any suggestion?

Search i'm using:

index=wineventlog sourcetype="WinEventLog:Security" EventCode="4740" user="*" dest_nt_domain="*" | eval src_nt_host=if(isnull(src_nt_host),host,src_nt_host) | eval lockout=if(EventCode==644 OR EventCode==4740,"Yes","No") | stats latest(_time) as time,latest(src_nt_host) as host,latest(lockout) as lockedout by dest_nt_domain,user | search lockedout="Yes" | eval ltime=strftime(time,"%c") |append [search index=wineventlog (EventCode=4625 OR EventCode=4771) host=* user=*  Account_Name!=*$  | stats count by user,Source_Network_Address | sort - count | rename user to "User Name",Source_Network_Address to "IP Address",count to "Number of Failures"]|table dest_nt_domain user host lockedout ltime "IP Address" "Number of Failures"

sundareshr · ‎08-30-2016

Try this

*UPDATED*

     index=wineventlog sourcetype="WinEventLog:Security" (EventCode="4740" OR EventCode==644 OR EventCode=4625 OR EventCode=4771) user="*"  
    | eval src_nt_host=coalesce(src_nt_host,host)
    | eval lockout=if(EventCode==644 OR EventCode==4740,"Yes","No") 
    | stats latest(eval(if(lockout="Yes", _time, null()))) as time, latest(src_nt_host) as host, latest(lockout) as locked out values(dest_nt_domain) as dest_nt_domain count(eval(EventCode=4625 OR EventCode=4771) as count values(Source_Network_Address) as Source_Network_Address by user 
    | eval time=strftime(time,"%c") 
    | rename user to "User Name", Source_Network_Address to "IP Address", count to "Number of Failures"
    | table dest_nt_domain "User Name" host lockedout time "IP Address" "Number of Failures"

kiran331 · ‎08-30-2016

Thanks for your answer! I'm getting Error "'SearchProcessor': Mismatched quotes and/or parenthesis.", I'm not sure why this error occurring, I replace == with =, still it exists. Can you resolve this one?

andsmith2 · ‎10-23-2017

Line 4 needs another parenthesis after EventCode=4771 to close in the count command.

sundareshr · ‎08-30-2016

Try this

index=wineventlog sourcetype="WinEventLog:Security" (EventCode="4740" OR EventCode==644 OR EventCode=4625 OR EventCode=4771) user="*"  
 | eval src_nt_host=coalesce(src_nt_host,host)
 | eval lockout=if(EventCode==644 OR EventCode==4740,"Yes","No") 
 | stats latest(eval(if(lockout="Yes"), _time, null())) as time, latest(src_nt_host) as host, latest(lockout) as locked out values(dest_nt_domain) as dest_nt_domain count(eval(EventCode=4625 OR EventCode=4771)) as count values(Source_Network_Address) as Source_Network_Address by user 
 | eval time=strftime(time,"%c") 
 | rename user to "User Name", Source_Network_Address to "IP Address", count to "Number of Failures"
 | table dest_nt_domain "User Name" host lockedout time "IP Address" "Number of Failures"

kiran331 · ‎08-30-2016

Hi sundareshr,

I got this error.

Error in 'stats' command: The eval expression for dynamic field 'eval(if(lockout="Yes"), _time, null())' is invalid. Error='The operator at ', _time, null()' is invalid.'

What change i have to do it to work?

sundareshr · ‎09-12-2016

Try the updated answer

How to edit my search to trigger when an account is locked out, including details of where and why it happened?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!