Skip to main content
Splunk Lantern

Windows account lockouts

You might need to get a list of accounts that are locked out when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

A common task for administrators is to track down locked accounts and unlock the accounts if appropriate. You want to use Splunk to get this list, along with related information, and possibly also to set up alerts that can be integrated with ticketing, paging, and automation tools. 

To optimize the search shown below, you should specify an index and a time range. 

  1. Verify that you deployed the add-on to the search heads and Splunk Universal Forwarders on the monitored systems. For more information, see About installing Splunk add-ons.
  2. Run the following search: 
sourcetype="wineventlog" EventCode=4740 OR EventCode=644 
|eval src_nt_host=if(isnull(src_nt_host),host,src_nt_host) 
|stats latest(_time) AS time latest(src_nt_host) AS host BY dest_nt_domain user 
|eval ltime=strftime(time,"%c") 
|table ltime,dest_nt_domain user host 
|rename ltime AS "Lockout Time",dest_nt_domain AS Domain,user AS "Account Locked Out", host AS "Workstation"

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype="wineventlog" 

Search only Windows event logs. 

EventCode=4740 OR EventCode=644

Return account lockout events.

|eval src_nt_host=if(isnull(src_nt_host),host,src_nt_host)

Set the src_nt_host value to that of the host key if it is null. Otherwise, remain at its non-null value. 

|stats latest(_time) AS time latest(src_nt_host) AS host BY dest_nt_domain user

Return the latest occurrence of _time and the latest event with src_nt_host. 

|eval ltime=strftime(time,"%c")

Format time to the local format of the host running the Splunk search head. 

|table ltime,dest_nt_domain user host

Display the results in a table with columns in the order shown.

|rename ltime AS "Lockout Time",dest_nt_domain AS Domain,user AS "Account Locked Out", host AS "Workstation"

Rename the fields as shown for better readability.

Result

The search results are presented in a table that shows the latest time of the lockout, the domain, the account that was locked out, and the workstation that the lockout condition was triggered on. 

A good next step would be to run this on a schedule, such as every 8 hours, and have the administrators on duty investigate and mitigate each lockout. Sometimes the account locked out is a script that has an embedded password that has expired. Other times, users have mistyped their credentials too many times and need help with recovery. A lockout can also indicate security issues, so it is advisable to coordinate these searches with the security team. 

Lockout Time Domain Account Locked Out Workstation

Sat Oct  3 12:42:49 2020

SPLUNKTEL

aa_dev_user

aa_dev_user_wkstn

Sat Oct  3 12:55:49 2020

SPLUNKTEL

cont_bbrohax0r

cont_bbrohax0r_wkstn

Sat Oct  3 12:31:49 2020

SPLUNKTEL

cont_bfroto

cont_bfroto_wkstn

Sat Oct  3 12:31:49 2020

SPLUNKTEL

cont_jflyby

cont_jflyby_wkstn

Sat Oct  3 12:56:49 2020

SPLUNKTEL

cont_jfrench

cont_jfrench_wkstn

Sat Oct  3 12:31:49 2020

SPLUNKTEL

dall_gibbs

ceo_wkstn

Sat Oct  3 12:46:49 2020

SPLUNKTEL

pete_do

pete_do_wkstn

Sat Oct  3 12:53:49 2020

SPLUNKTEL

test_the_do

pete_do_wkstn

 To schedule a search like this, begin by saving the search as a report and then putting a schedule on to the search. The workflow for scheduling a report is documented here

  • Was this article helpful?