Investigating user login issues and account lockouts
You are an analyst tasked with administering account access for your organization. You are frequently contacted by users who are unable to log in or who are locked out of their accounts. Resolving these issues often requires time-consuming manual investigation.
You'd like to set up searches in Splunk to help you identify the root cause of these issues more quickly. In addition, you'd like to start responding more proactively to account lockout scenarios by generating a list of locked accounts, along with related information, and setting up alerts that can be integrated with ticketing, paging, and automation tools.
Data required
How to use Splunk software for this use case
Depending on what information you have available, you might find it useful to identify some or all of the following:
Next steps
To maximize their benefit, the how-to articles linked in the previous section likely need to tie into existing processes at your organization or become new standard processes. These processes commonly impact success with this use case:
- Active Directory group policies administration
- Identity and Access Management systems administration (e.g., OneLogon, Okta, etc.)
Measuring impact and benefit is critical to assessing the value of IT operations. The following are example metrics that can be useful to monitor when implementing this use case:
- Count of Zombie account lockouts: Number mitigated per unit of time
- A reduction in the time taken for any of the following:
- Mean time to user account lockout discovery and resolution
- Mean time to detect (MTTD) problems
- Mean time to investigate
- Mean time to resolution
- Time to provide attestation to regulatory requirements related to user accounts, such as CIS Control 16
In addition, these Splunk resources might help you understand and implement this use case:
- Whitepaper: The Essential guide to AIOps
- Analysis Report: Market guide to AIOps platforms
- Tech Talk: My start will go on: Splunk's TA for Windows Part 1
- Tech Talk: My start will go on: Splunk's TA for Windows Part 2