Getting Data In

Whitelist bad logon

sswigart
Explorer

I want to whitelist events when users put the password in the logon window during login.
See example below, note the *****:

An account failed to log on.

Subject:
Security ID: SYSTEM
Account Name: Computer01
Account Domain: MyDomain
Logon ID: 0x3E7

Logon Type: 7

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: User
Account Domain: MyDomain

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D **************
Sub Status: 0xC000006A

Process Information:
Caller Process ID: 0x8e0D
Caller Process Name: C:\Windows\System32\svchost.exe

Network Information:
Workstation Name: Computer01
Source Network Address: 127.0.0.1
Source Port: 0

Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

My whitelist is as follows:

whitelist = EventCode = "4625" Message = "Failure\sInformation\sStatus:\s+0xc000006d"

Need assistance with coding the 0xc000006d

Thank you!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sswigart,
sorry but I don't understand what do you mean with "whitelist": do you want as search result all the 4625 events? or what else?
If you want to filter events to extract logFail events (EventCode=4625) you could run something like this:

index=wineventlog EventCode=4625 Message="Failure\sInformation\sStatus:\s+0xc000006d"
| table ...

Ciao.
Giuseppe

0 Karma

sswigart
Explorer

Giuseppe,
Thank you for your suggestion.
I am trying to create a whitelist in the etc\system\local\inputs.conf file.
Still not having any success.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sswigart,
you can whitelist the EventCodes related to logins but in this way you exclude all the other EventCodes, I think that it's better to filter these events at search time.
Anyway, at http://www.splunk.com/base/Documentation/latest/Admin/Inputsconf there's an example of whitelisting Windows EventCodes.

Ciao.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...