Security

Top 10 Failed Login

sittingonion
Observer

Im new to splunk , 

I created 15 users and had failed login attempts on some of them.

how can i find the first 10 failed login attempts,with what command can i see this in splunk

sourcetype="WinEventLog:Security" eventcode 4625| top limit=10 "Account Name"

I tried it brought all users but how do I integrate the failed part into it, am I walking on the wrong path?

Labels (1)
0 Karma

kkrises
Path Finder

Here is your SPL query, let me know if it works for you.

index=wineventlog sourcetype="Wineventlog:Security" EventCode=4625 OR EventCode=529 Account_Name!="" | stats count by Account_Name | sort -count | head 10

Event code 529 to capture failure events from Win 2003 or older versions

Account_Name!="<put value which doesn't make any sense to you like blank/- etc>

head 10 - for top 10 results.

Hope this helps and happy Splunking!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You're on the right path.

The event should have a field that indicates if the login succeeded or failed.  Test that field in your query to include only failures.  You'll need to remove the top command to see the full event.

The query may end up looking something like this:

sourcetype="WinEventLog" EventCode=4625 index=wineventlog action=failure
| top limit=10 Account_Name
---
If this reply helps you, Karma would be appreciated.
0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Laser Bananas and Edge Hubs: Exploring Operational Technology (OT) Data Through a ...

  OT is a different environment to traditional IT and can have interesting challenges when interfacing the ...

Event Series: Mastering AI Tokenomics and Splunk Agent Observability

Beyond the Black Box: Correlating AI Performance and Tokenomics with Splunk Agent Observability   As ...

span_metrics: The OpenTelemetry-Idiomatic Way to See Inside Your Services

You open a trace in Splunk Observability Cloud and everything looks fine. One root span, order-pipeline, with ...