I have the Splunk Windows Infrastructure app installed and when I run this search below:
I get this returned below, but I'm not understanding how the search result is associated to eventtype=msad-failed-user-logons. The below shows EventType=0. What does msad-failed-user-logons mean and how come it doesn't show that in the search result?
09/19/2017 03:42:13 PM
SourceName=Microsoft Windows security auditing.
Message=The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: someuser1
Source Workstation: WORKSTATION
Error Code: 0xC0000071
host=somehost source=WinEventLog:Security sourcetype=WinEventLog:Security
The eventtype here is not the field EventType in your data but Splunk's eventtype which in simple word is an alias to a base search or search term. Often for ease of reading and maintenance, we save commonly used search terms as eventtype instead of full search terms. ( see more about eventtype here).
To see what's the actual search being run when you run eventtype=msad-failed-user-logons, you can
1. In the Job dropdown below the search bar, click on Inspect job. On that Job inspector page, look for value in attribute "normalizedSearch". That would give you expanded eventtype.
2. Go to Settings->Event types and look for msad-failed-user-logons. You may have to change the app context or select All apps. The search string column will give you the underline search.