Windows account lockouts
A common task for administrators is to track down locked accounts and unlock the accounts if appropriate. You want to use Splunk to get this list, along with related information, and possibly also to set up alerts that can be integrated with ticketing, paging, and automation tools.
Data required
Procedure
- Verify that you have deployed the Splunk Add-on for Microsoft Windows to the search heads and Splunk Universal Forwarders on the monitored systems. For more information, see About installing Splunk add-ons.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype="wineventlog" EventCode=4740 OR EventCode=644 |eval src_nt_host=if(isnull(src_nt_host),host,src_nt_host) |stats latest(_time) AS time latest(src_nt_host) AS host BY dest_nt_domain user |eval ltime=strftime(time,"%c") |table ltime,dest_nt_domain user host |rename ltime AS "Lockout Time",dest_nt_domain AS Domain,user AS "Account Locked Out", host AS "Workstation"
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search | Explanation |
---|---|
sourcetype="wineventlog" |
Search only Windows event logs. |
EventCode=4740 OR EventCode=644 |
Return account lockout events. |
|eval src_nt_host=if(isnull(src_nt_host),host,src_nt_host) |
Set the src_nt_host value to that of the host key if it is null. Otherwise, remain at its non-null value. |
|stats latest(_time) AS time latest(src_nt_host) AS host BY dest_nt_domain user |
Return the latest occurrence of _time and the latest event with src_nt_host. |
|eval ltime=strftime(time,"%c") |
Format time to the local format of the host running the Splunk search head. |
|table ltime,dest_nt_domain user host |
Display the results in a table with columns in the order shown. |
|rename ltime AS "Lockout Time",dest_nt_domain AS Domain,user AS "Account Locked Out", host AS "Workstation" |
Rename the fields as shown for better readability. |
Next steps
The search results are presented in a table that shows the latest time of the lockout, the domain, the account that was locked out, and the workstation that the lockout condition was triggered on.
A good next step would be to run this on a schedule, such as every 8 hours, and have the administrators on duty investigate and mitigate each lockout. Sometimes the account locked out is a script that has an embedded password that has expired. Other times, users have mistyped their credentials too many times and need help with recovery. A lockout can also indicate security issues, so it is advisable to coordinate these searches with the security team.
Lockout Time | Domain | Account Locked Out | Workstation |
---|---|---|---|
Sat Oct 3 12:42:49 2020 |
SPLUNKTEL |
aa_dev_user |
aa_dev_user_wkstn |
Sat Oct 3 12:55:49 2020 |
SPLUNKTEL |
cont_bbrohax0r |
cont_bbrohax0r_wkstn |
Sat Oct 3 12:31:49 2020 |
SPLUNKTEL |
cont_bfroto |
cont_bfroto_wkstn |
Sat Oct 3 12:31:49 2020 |
SPLUNKTEL |
cont_jflyby |
cont_jflyby_wkstn |
Sat Oct 3 12:56:49 2020 |
SPLUNKTEL |
cont_jfrench |
cont_jfrench_wkstn |
Sat Oct 3 12:31:49 2020 |
SPLUNKTEL |
dall_gibbs |
ceo_wkstn |
Sat Oct 3 12:46:49 2020 |
SPLUNKTEL |
pete_do |
pete_do_wkstn |
Sat Oct 3 12:53:49 2020 |
SPLUNKTEL |
test_the_do |
pete_do_wkstn |
To schedule a search like this, begin by saving the search as a report and then putting a schedule on to the search. The workflow for scheduling a report is documented here.
Finally, you might be interested in other processes associated with the Investigating user login issues and account lockouts use case.