https://community.splunk.com/t5/Splunk-Search/How-to-search-for-failed-login-attempts/m-p/286527#M86763 <P>If it does not work for you, try just </P> <PRE><CODE> index=yourindex sourcetype="WinEventLog:Security" EventCode=4624 </CODE></PRE> <P>Also, if you just want a summary, remove _time from the |stats line. </P> Thu, 28 Jul 2016 17:17:04 GMT JDukeSplunk 2016-07-28T17:17:04Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-failed-login-attempts/m-p/286525#M86761 <P>I hate to say it, but I am a Splunk-newb. I plan on taking a Splunk course, but for now, I am just trying to get my feet wet.</P> <P>As an introductory project, I am trying to search for failed log-on attempts.</P> <P>Can someone tell me where to start? Should I look for Windows event codes? Do I need the Splunk Support for Active Directory app, or is there another way?</P> Thu, 28 Jul 2016 16:52:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-failed-login-attempts/m-p/286525#M86761 mhuntington 2016-07-28T16:52:43Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-failed-login-attempts/m-p/286526#M86762 <P>A good place to start.<BR /> <A href="http://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/56b36b4d3c44d86cf33341ca/1454598990744/Windows+Splunk+Logging+Cheat+Sheet+v1.1.pdf">http://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/56b36b4d3c44d86cf33341ca/1454598990744/Windows+Splunk+Logging+Cheat+Sheet+v1.1.pdf</A></P> <P>This is the one I use for failed login events. </P> <PRE><CODE>index=yourindex sourcetype="WinEventLog:Security" EventCode=4625 |fillnull value=NULL | eval Account_Name = mvindex(Account_Name,1) | eval Security_ID = mvindex(Security_ID,1) | eval LoginType=case(Logon_Type=3,"RPC (not RDP)",Logon_Type=4,"Batch",Logon_Type=5,"Service",Logon_Type=7,"Screen Unlock/Session Resume",Logon_Type=10,"Remote Desktop",Logon_Type=11,"Cached",Logon_Type=9,"New Credentials") |stats count(Security_ID) as "Login Events" by Security_ID, Account_Name, LoginType,host,_time |sort + Security_ID </CODE></PRE> <P>In case you want it, here is successful login events. </P> <PRE><CODE>index=yourindex sourcetype="WinEventLog:Security" EventCode=4624 |fillnull value=NULL | eval Account_Name = mvindex(Account_Name,1) | eval Security_ID = mvindex(Security_ID,1) | eval LoginType=case(Logon_Type=3,"RPC (not RDP)",Logon_Type=4,"Batch",Logon_Type=5,"Service",Logon_Type=7,"Screen Unlock/Session Resume",Logon_Type=10,"Remote Desktop",Logon_Type=11,"Cached",Logon_Type=9,"New Credentials") |stats count(Security_ID) as "Login Events" by Security_ID, Account_Name, LoginType,host,_time |sort + Security_ID </CODE></PRE> Thu, 28 Jul 2016 17:13:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-failed-login-attempts/m-p/286526#M86762 JDukeSplunk 2016-07-28T17:13:20Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-failed-login-attempts/m-p/286527#M86763 <P>If it does not work for you, try just </P> <PRE><CODE> index=yourindex sourcetype="WinEventLog:Security" EventCode=4624 </CODE></PRE> <P>Also, if you just want a summary, remove _time from the |stats line. </P> Thu, 28 Jul 2016 17:17:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-failed-login-attempts/m-p/286527#M86763 JDukeSplunk 2016-07-28T17:17:04Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-failed-login-attempts/m-p/286528#M86764 <P>Wow, thank you very much. This looks like a perfect starting point.</P> Thu, 28 Jul 2016 17:23:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-failed-login-attempts/m-p/286528#M86764 mhuntington 2016-07-28T17:23:37Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-failed-login-attempts/m-p/286529#M86765 <P>You're very welcome, glad I could help. If this answered your question please accept the answer (I need the points)</P> Fri, 05 Aug 2016 18:48:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-failed-login-attempts/m-p/286529#M86765 JDukeSplunk 2016-08-05T18:48:16Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-failed-login-attempts/m-p/286530#M86766 <P>Tried to give you points for this answer but I don't have enough. That cheat sheet is solid GOLD!</P> Mon, 18 Jun 2018 19:56:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-failed-login-attempts/m-p/286530#M86766 jackal713 2018-06-18T19:56:49Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-failed-login-attempts/m-p/286531#M86767 <P>For what its worth as I can see this post is old, you could try this - EventCode=4625 | stats count by Account_Name, Workstation_Name, Failure_Reason, Source_Network_Address | search count&gt;5</P> <P>I have posted this as there are a few similar Splunk answers knocking around but none seemed to work for me or quite gave me what I needed, this will show failed logon attempts over 5 attempts </P> Tue, 29 Sep 2020 20:07:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-failed-login-attempts/m-p/286531#M86767 AaronMoorcroft 2020-09-29T20:07:02Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-failed-login-attempts/m-p/286532#M86768 <P>What if you were doing this on a Linux Server ?</P> Tue, 23 Oct 2018 21:25:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-failed-login-attempts/m-p/286532#M86768 Greendav 2018-10-23T21:25:45Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-failed-login-attempts/m-p/564252#M196556 <P>How to use this reports for Linux environment ?</P> Mon, 23 Aug 2021 03:37:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-failed-login-attempts/m-p/564252#M196556 kagamalai 2021-08-23T03:37:44Z