Getting Data In

Whitelist bad logon

New Member

I want to whitelist events when users put the password in the logon window during login.
See example below, note the *****:

An account failed to log on.

Security ID: SYSTEM
Account Name: Computer01
Account Domain: MyDomain
Logon ID: 0x3E7

Logon Type: 7

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: User
Account Domain: MyDomain

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D **************
Sub Status: 0xC000006A

Process Information:
Caller Process ID: 0x8e0D
Caller Process Name: C:\Windows\System32\svchost.exe

Network Information:
Workstation Name: Computer01
Source Network Address:
Source Port: 0

Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

My whitelist is as follows:

whitelist = EventCode = "4625" Message = "Failure\sInformation\sStatus:\s+0xc000006d"

Need assistance with coding the 0xc000006d

Thank you!

0 Karma

Esteemed Legend

Hi @sswigart,
sorry but I don't understand what do you mean with "whitelist": do you want as search result all the 4625 events? or what else?
If you want to filter events to extract logFail events (EventCode=4625) you could run something like this:

index=wineventlog EventCode=4625 Message="Failure\sInformation\sStatus:\s+0xc000006d"
| table ...


0 Karma

New Member

Thank you for your suggestion.
I am trying to create a whitelist in the etc\system\local\inputs.conf file.
Still not having any success.

0 Karma

Esteemed Legend

Hi @sswigart,
you can whitelist the EventCodes related to logins but in this way you exclude all the other EventCodes, I think that it's better to filter these events at search time.
Anyway, at there's an example of whitelisting Windows EventCodes.


0 Karma
Get Updates on the Splunk Community!

Index This | A sphere has three, a circle has two, and a point has zero. What is it?

September 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...