Systems Management & Automation: SPLUNK

SPLUNK - Lockout script

index=tmg user=USERNAME




index=msad  EventCode=644 OR EventCode=4740  user=username


index=“ad” source=”WinEventLog:Security” Account_Name= EventCode=4771  
Failure_Code=”0x18″ earliest=<-4h> | table _time Client_Address Account_Name EventCode  
Failure_Code

index=“ad” source=”WinEventLog:Security” Logon_Account= EventCode=4776  
Error_Code=”0xc000006a” earliest=<-4h> | table _time Source_Network_Address  
Logon_Account EventCode Error_Code Logon_Type


index=“ad” source=”WinEventLog:Security” Account_Name= EventCode=4740  
earliest=<-4h> | table _time Caller_Computer_Name Account_Name EventCode


index=“ad” source=”WinEventLog:Security” Account_Name= EventCode=4740 OR  
EventCode=4776 OR EventCode=4771 earliest=<-4h> | table _time Caller_Computer_Name  
Account_Name EventCode

My Spiceworks Post

https://community.spiceworks.com/scripts/show/3227-splunk-lockout-script