Splunk Search

Failed Login to Locked out account

mihall
Path Finder

I am trying to identify an event that fires when a login has been attempted to a previously locked account. I am not looking for failed logins or lockout events. I just want the failed login attempt that occurred on an account that was already locked out. Any help figuring out how to design a query for this would be great.

Labels (2)
1 Solution

abhijit_mhatre
Path Finder

Yes it would work, just modifying the query a little bit:

index=winsec EventCode=4625 user=abc | append [search EventCode=4740 user=abc] | table user, _time

View solution in original post

jchintha
Engager

Locked out account searchform

Account Lockout Search

eventtype="windows_events" sourcetype="WinEventLog:Security" EventCode=4740 OR EventCode=4723 OR EventCode=4724 OR EventCode=4625 OR EventCode=4769 OR EventCode=4767 OR EventCode=4776 user="$user$" | eval Workstation_Name=coalesce(Workstation_Name,Source_Workstation) | table _time, src_ip, user, action, Workstation_Name, src_nt_host, name, Failure_Reason | rename name AS Description | sort user

<!-- the default is a text box, with no seed value; if user does not input
      a value, then the $from$ token in searchTemplate will be removed -->
<input type="text" token="user">
  <default>*</default>
</input>
<input type="time">
  <default>
    <earliestTime>-15m</earliestTime>
    <latestTime>now</latestTime>
  </default>
</input>


<panel>
  <table>
    <event>
      <title>Results</title>
      <option name="count">50</option>
    </event>
  </table>
</panel>


<panel>
  <chart>
    <title>Top Descriptions</title>
    <searchPostProcess>| top limit=20 Description</searchPostProcess>
    <option name="charting.chart">bar</option>
  </chart>
</panel>
<panel>
  <chart>
    <title>Top Source IP by Time</title>
    <searchPostProcess>| timechart count by src_ip limit=10</searchPostProcess>
    <option name="charting.chart">bar</option>
  </chart>
</panel>


<panel>
  <table>
    <title>Count over time</title>
    <searchPostProcess>| chart sparkline count by user</searchPostProcess>
    <format field="sparkline" type="sparkline"></format>
  </table>
</panel>

abhijit_mhatre
Path Finder

Yes it would work, just modifying the query a little bit:

index=winsec EventCode=4625 user=abc | append [search EventCode=4740 user=abc] | table user, _time

mihall
Path Finder

what does append do here?

0 Karma

abhijit_mhatre
Path Finder

It will append the search result of one search with another.

0 Karma

abhijit_mhatre
Path Finder

Hi Mihall,

If an account gets locked out, the next event coming would be either a failed logon(EventCode4625) or Kerberos pre-authentication failed(4771) event for that particular account. You can use the below query:

index=winsec EventCode=4625 OR EventCode=4771 user=abc(locked out user) | eval Time=strftime(_time,"%Y-%m-%d %H:%M:%S") | dedup user ComputerName | eval Error=coalesce(Failure_Reason, Failure_Code)| table Time user Error EventCodeDescription

Let me know if this works.
Thanks.

mihall
Path Finder

The results produced are showing all failed logins, including events that occurred due to a failed password attempt. Is there a way to narrow this down further so that it's only showing events that came after a lockout. Thanks

0 Karma

abhijit_mhatre
Path Finder

The event which will occur after an account gets locked out, would be a failed login event. So if user=abc gets locked out, the next event for user=abc would be failed logon. EventCode 4625 would show you failed logon events

0 Karma

mihall
Path Finder

So would the following search and subsearch find the locked out accounts and look for failed logon attempts to them?

EventCode=4625 [search EventCode=4740] | table user, _time

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...