Top 10 Failed Login

sittingonion · ‎12-08-2021

Im new to splunk ,

I created 15 users and had failed login attempts on some of them.

how can i find the first 10 failed login attempts,with what command can i see this in splunk

sourcetype="WinEventLog:Security" eventcode 4625| top limit=10 "Account Name"

I tried it brought all users but how do I integrate the failed part into it, am I walking on the wrong path?

kkrises · ‎12-09-2021

Here is your SPL query, let me know if it works for you.

index=wineventlog sourcetype="Wineventlog:Security" EventCode=4625 OR EventCode=529 Account_Name!="" | stats count by Account_Name | sort -count | head 10

Event code 529 to capture failure events from Win 2003 or older versions

Account_Name!="<put value which doesn't make any sense to you like blank/- etc>

head 10 - for top 10 results.

Hope this helps and happy Splunking!

richgalloway · ‎12-08-2021

You're on the right path.

The event should have a field that indicates if the login succeeded or failed. Test that field in your query to include only failures. You'll need to remove the top command to see the full event.

The query may end up looking something like this:

sourcetype="WinEventLog" EventCode=4625 index=wineventlog action=failure
| top limit=10 Account_Name

---
If this reply helps you, Karma would be appreciated.

Top 10 Failed Login

login

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!