Skip to main content

 

Splunk Lantern

Investigating user login issues and account lockouts

 

You are an analyst tasked with administering account access for your organization. You are frequently contacted by users who are unable to log in or who are locked out of their accounts. Resolving these issues often requires time-consuming manual investigation.

You'd like to set up searches in Splunk to help you identify the root cause of these issues more quickly. In addition, you'd like to start responding more proactively to account lockout scenarios by generating a list of locked accounts, along with related information, and setting up alerts that can be integrated with ticketing, paging, and automation tools. 

Data required 

Windows event logs

How to use Splunk software for this use case

Depending on what information you have available, you might find it useful to identify some or all of the following: 

Next steps

To maximize their benefit, the how-to articles linked in the previous section likely need to tie into existing processes at your organization or become new standard processes. These processes commonly impact success with this use case: 

  • Active Directory group policies administration
  • Identity and Access Management systems administration (e.g., OneLogon, Okta, etc.)

Measuring impact and benefit is critical to assessing the value of IT operations. The following are example metrics that can be useful to monitor when implementing this use case:

  • Count of Zombie account lockouts: Number mitigated per unit of time
  • A reduction in the time taken for any of the following:
    • Mean time to user account lockout discovery and resolution
    • Mean time to detect (MTTD) problems
    • Mean time to investigate
    • Mean time to resolution
    • Time to provide attestation to regulatory requirements related to user accounts, such as CIS Control 16 

 In addition, these Splunk resources might help you understand and implement this use case:

Still need help with this use case? Most customers have OnDemand Services per their license support plan. Engage the ODS team at OnDemand-Inquires@splunk.com if you require assistance.