![]() Assuming CallerLoginID as the joining field and Privileges=Disabled for disabled account. Option with stats: (I think you meant sourcetype in your question not index, as your index name might be different). | lookup CallerLogonID OUTPUT _time as UserDisabledDate | stats count min(_time) as EarliestFailedLogin max(_time) as LatestFailedLogin values(host) as ServersAttempted by CallerLogonID index="" sourcetype="WineventLog:Security" EventCode="531" CallerLogonID=* ![]() Schedule can be as per your requirement like hourly once or daily once.Ģ) Performs Stats on Failed Login Attempts (EventCode=531) to capture details on frequency, number of failed attempts, source IPs, host/s and link with the lookup table and fill in the details. index="" sourcetype="WineventLog:Security" EventCode="639" Privileges="Disabled" CallerLogonID=* Following is a sample query for guidance:ġ) Create lookup file through scheduled search via outputlookup command for Disabled Account (EventCode=639) and log meaningful details like Disabled User ID, Domain, Unique ID, Date of Deactivation etc. IN order for the community yo assist you, can you provide one sample event from each of 639 and 531 Event IDs? Please make sure that you change actual name/ids and details with mock data so that we can assist you more with the correlation. ![]() Refer to Splunk documentation on which event correlation technique to be picked up under what scenario: Depends on your scenario.ġ) Pull up all failed login attempts by all disabled users (stats or lookup will be better) orĢ) Do you have a disabled user for whom you need to find failed login attempts (transaction will be better)? Most of Splunk correlation methods like transaction, join, append, subsearch, stats and lookup will work.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |