This search detects user accounts that have been locked out a relatively high number of times in a short period.
- Type: Anomaly
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Change
- Last Updated: 2020-07-21
- Author: David Dorsey, Splunk
- ID: 95a7f9a5-6096-437e-a19e-86f42ac609bd
Kill Chain Phase
- CIS 16
1 2 3 4 5 6 7 8 | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Change.All_Changes where nodename=All_Changes.Account_Management All_Changes.result="lockout" by All_Changes.user All_Changes.result |`drop_dm_object_name("All_Changes")` |`drop_dm_object_name("Account_Management")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search count > 5 | `detect_excessive_user_account_lockouts_filter`
The SPL above uses the following Macros:
detect_excessive_user_account_lockouts_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
List of fields required to use this analytic.
How To Implement
ou must ingest your Windows security event logs in the
Change datamodel under the nodename is
Account_Management, for this search to execute successfully. Please consider updating the cron schedule and the count of lockouts you want to monitor, according to your environment.
Known False Positives
It is possible that a legitimate user is experiencing an issue causing multiple account login failures leading to lockouts.
Associated Analytic Story
|36.0||60||60||Multiple accounts have been locked out. Review $nodename$ and $result$ related to $user$.|
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
source | version: 3