https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-TA-windows-puts-failed-logon-events-in-Change-Datamodel/m-p/487487#M8093 <P>Hi Splunkers,<BR /> It is strange to me and I hope someone can explain - what is the reason for ingesting Windows failed logon events to Data Model "Change" with Splunk_TA-Windows app.</P> <P>This is done by labeling <STRONG>windows_audit_log_logon</STRONG> eventtype with "<STRONG>change</STRONG>" and "<STRONG>audit</STRONG>" tags.<BR /> Mentioned eventtype is basically any windows log with EventID 4625, there is SubStatus restriction but it catches both events caused by account lockout and wrong credentials, besides there is <EM>4740: A user account was locked out</EM> that suits this purpose better IMHO.</P> Wed, 30 Sep 2020 03:43:44 GMT asobiesiak 2020-09-30T03:43:44Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-TA-windows-puts-failed-logon-events-in-Change-Datamodel/m-p/487487#M8093 <P>Hi Splunkers,<BR /> It is strange to me and I hope someone can explain - what is the reason for ingesting Windows failed logon events to Data Model "Change" with Splunk_TA-Windows app.</P> <P>This is done by labeling <STRONG>windows_audit_log_logon</STRONG> eventtype with "<STRONG>change</STRONG>" and "<STRONG>audit</STRONG>" tags.<BR /> Mentioned eventtype is basically any windows log with EventID 4625, there is SubStatus restriction but it catches both events caused by account lockout and wrong credentials, besides there is <EM>4740: A user account was locked out</EM> that suits this purpose better IMHO.</P> Wed, 30 Sep 2020 03:43:44 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-TA-windows-puts-failed-logon-events-in-Change-Datamodel/m-p/487487#M8093 asobiesiak 2020-09-30T03:43:44Z