{"id":170,"date":"2009-12-21T16:03:47","date_gmt":"2009-12-21T22:03:47","guid":{"rendered":"http:\/\/www.anthonyreinke.com\/?p=170"},"modified":"2009-12-21T16:03:47","modified_gmt":"2009-12-21T22:03:47","slug":"searching-for-account-lockouts-with-splunk","status":"publish","type":"post","link":"https:\/\/anthonyreinke.com\/index.php\/2009\/12\/21\/searching-for-account-lockouts-with-splunk\/","title":{"rendered":"Searching for Account Lockouts with Splunk"},"content":{"rendered":"

This requires that the Splunk agent is getting the security event from the Domain Controller(s).<\/p>\n

    \n
  1. Find the username of the person<\/li>\n
  2. Log in to the Splunk server.<\/li>\n
  3. Click on the Search button.
    \n\"\"<\/a><\/li>\n
  4. Enter the search paramitters to find the user and select your time frame for the search:
    \nsource=”WinEventLog:Security” User_Name=”lockedUser”
    \n    \"\"<\/a><\/li>\n
  5. Then check the \u201cClient_Address\u201d field.\u00a0 This can be found on the left column.
    \n    \"\"<\/a><\/li>\n
  6. The client IP shows where the lockout came from.<\/li>\n<\/ol>\n
    <\/p>\n

    1. <\/span><\/span><\/span>Find the username of the person<\/p>\n

    2. <\/span><\/span><\/span>Log in to the Splunk server.<\/p>\n

    3. <\/span><\/span><\/span>Click on the Search button
    \n\"\"<\/span><\/p>\n

    4. <\/span><\/span><\/span>Enter the search paramitters to find the user and select your time frame for the search:
    \nsource=”WinEventLog:Security” Type=”Failure Audit” User_Name=”lockedUser”<\/p>\n

    \"\"<\/span><\/p>\n

    5. <\/span><\/span><\/span>Then check the \u201cClient_Address\u201d field. <\/span>This can be found on the left column
    \n\"\"<\/span><\/p>\n

    6. <\/span><\/span><\/span>The client IP shows where the lockout came from.<\/p>\n

    <\/mce><\/div>\n","protected":false},"excerpt":{"rendered":"

    This requires that the Splunk agent is getting the security event from the Domain Controller(s). Find the username of the person Log in to the Splunk server. Click on the Search button. Enter the search paramitters to find the user and select your time frame for the search: source=”WinEventLog:Security” User_Name=”lockedUser” Then check the \u201cClient_Address\u201d field.\u00a0 […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-170","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/anthonyreinke.com\/index.php\/wp-json\/wp\/v2\/posts\/170","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/anthonyreinke.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/anthonyreinke.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/anthonyreinke.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/anthonyreinke.com\/index.php\/wp-json\/wp\/v2\/comments?post=170"}],"version-history":[{"count":0,"href":"https:\/\/anthonyreinke.com\/index.php\/wp-json\/wp\/v2\/posts\/170\/revisions"}],"wp:attachment":[{"href":"https:\/\/anthonyreinke.com\/index.php\/wp-json\/wp\/v2\/media?parent=170"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/anthonyreinke.com\/index.php\/wp-json\/wp\/v2\/categories?post=170"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/anthonyreinke.com\/index.php\/wp-json\/wp\/v2\/tags?post=170"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}