Skip to main content
Splunk Lantern

Windows account lockouts

A common task for administrators is to track down locked accounts and unlock the accounts if appropriate. You want to use Splunk to get this list, along with related information, and possibly also to set up alerts that can be integrated with ticketing, paging, and automation tools. 

Data required

Windows event logs

Procedure

  1. Verify that you have deployed the Splunk Add-on for Microsoft Windows to the search heads and Splunk Universal Forwarders on the monitored systems. For more information, see About installing Splunk add-ons.
  2. Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype="wineventlog" EventCode=4740 OR EventCode=644 
|eval src_nt_host=if(isnull(src_nt_host),host,src_nt_host) 
|stats latest(_time) AS time latest(src_nt_host) AS host BY dest_nt_domain user 
|eval ltime=strftime(time,"%c") 
|table ltime,dest_nt_domain user host 
|rename ltime AS "Lockout Time",dest_nt_domain AS Domain,user AS "Account Locked Out", host AS "Workstation"

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype="wineventlog" 

Search only Windows event logs. 

EventCode=4740 OR EventCode=644

Return account lockout events.

|eval src_nt_host=if(isnull(src_nt_host),host,src_nt_host)

Set the src_nt_host value to that of the host key if it is null. Otherwise, remain at its non-null value. 

|stats latest(_time) AS time latest(src_nt_host) AS host BY dest_nt_domain user

Return the latest occurrence of _time and the latest event with src_nt_host. 

|eval ltime=strftime(time,"%c")

Format time to the local format of the host running the Splunk search head. 

|table ltime,dest_nt_domain user host

Display the results in a table with columns in the order shown.

|rename ltime AS "Lockout Time",dest_nt_domain AS Domain,user AS "Account Locked Out", host AS "Workstation"

Rename the fields as shown for better readability.

Next steps

The search results are presented in a table that shows the latest time of the lockout, the domain, the account that was locked out, and the workstation that the lockout condition was triggered on. 

A good next step would be to run this on a schedule, such as every 8 hours, and have the administrators on duty investigate and mitigate each lockout. Sometimes the account locked out is a script that has an embedded password that has expired. Other times, users have mistyped their credentials too many times and need help with recovery. A lockout can also indicate security issues, so it is advisable to coordinate these searches with the security team. 

Lockout Time Domain Account Locked Out Workstation

Sat Oct  3 12:42:49 2020

SPLUNKTEL

aa_dev_user

aa_dev_user_wkstn

Sat Oct  3 12:55:49 2020

SPLUNKTEL

cont_bbrohax0r

cont_bbrohax0r_wkstn

Sat Oct  3 12:31:49 2020

SPLUNKTEL

cont_bfroto

cont_bfroto_wkstn

Sat Oct  3 12:31:49 2020

SPLUNKTEL

cont_jflyby

cont_jflyby_wkstn

Sat Oct  3 12:56:49 2020

SPLUNKTEL

cont_jfrench

cont_jfrench_wkstn

Sat Oct  3 12:31:49 2020

SPLUNKTEL

dall_gibbs

ceo_wkstn

Sat Oct  3 12:46:49 2020

SPLUNKTEL

pete_do

pete_do_wkstn

Sat Oct  3 12:53:49 2020

SPLUNKTEL

test_the_do

pete_do_wkstn

To schedule a search like this, begin by saving the search as a report and then putting a schedule on to the search. The workflow for scheduling a report is documented here

Finally, you might be interested in other processes associated with the Investigating user login issues and account lockouts use case.