Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search for failed login attempts?

mhuntington
Explorer
‎07-28-2016 09:52 AM

I hate to say it, but I am a Splunk-newb. I plan on taking a Splunk course, but for now, I am just trying to get my feet wet.

As an introductory project, I am trying to search for failed log-on attempts.

Can someone tell me where to start? Should I look for Windows event codes? Do I need the Splunk Support for Active Directory app, or is there another way?

Reply
1 Solution
Solved! Jump to solution
Solution

JDukeSplunk
Builder
‎07-28-2016 10:13 AM

A good place to start.
http://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/56b36b4d3c44d86cf33341ca/1454598990...

This is the one I use for failed login events. 

index=yourindex
sourcetype="WinEventLog:Security" 
EventCode=4625
|fillnull value=NULL
| eval Account_Name = mvindex(Account_Name,1) 
| eval Security_ID = mvindex(Security_ID,1) 
| eval LoginType=case(Logon_Type=3,"RPC (not RDP)",Logon_Type=4,"Batch",Logon_Type=5,"Service",Logon_Type=7,"Screen Unlock/Session Resume",Logon_Type=10,"Remote Desktop",Logon_Type=11,"Cached",Logon_Type=9,"New Credentials")
|stats count(Security_ID) as "Login Events" by Security_ID, Account_Name, LoginType,host,_time  |sort + Security_ID

In case you want it, here is successful login events. 

index=yourindex
sourcetype="WinEventLog:Security" 
EventCode=4624 
|fillnull value=NULL
| eval Account_Name = mvindex(Account_Name,1) 
| eval Security_ID = mvindex(Security_ID,1) 
| eval LoginType=case(Logon_Type=3,"RPC (not RDP)",Logon_Type=4,"Batch",Logon_Type=5,"Service",Logon_Type=7,"Screen Unlock/Session Resume",Logon_Type=10,"Remote Desktop",Logon_Type=11,"Cached",Logon_Type=9,"New Credentials")
|stats count(Security_ID) as "Login Events" by Security_ID, Account_Name, LoginType,host,_time  |sort + Security_ID

View solution in original post

Reply
Solved! Jump to solution

AaronMoorcroft
Communicator
‎06-21-2018 03:24 AM

For what its worth as I can see this post is old, you could try this - EventCode=4625 | stats count by Account_Name, Workstation_Name, Failure_Reason, Source_Network_Address | search count>5

I have posted this as there are a few similar Splunk answers knocking around but none seemed to work for me or quite gave me what I needed, this will show failed logon attempts over 5 attempts

0 Karma
Reply
Solved! Jump to solution
Solution

JDukeSplunk
Builder
‎07-28-2016 10:13 AM

A good place to start.
http://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/56b36b4d3c44d86cf33341ca/1454598990...

This is the one I use for failed login events. 

index=yourindex
sourcetype="WinEventLog:Security" 
EventCode=4625
|fillnull value=NULL
| eval Account_Name = mvindex(Account_Name,1) 
| eval Security_ID = mvindex(Security_ID,1) 
| eval LoginType=case(Logon_Type=3,"RPC (not RDP)",Logon_Type=4,"Batch",Logon_Type=5,"Service",Logon_Type=7,"Screen Unlock/Session Resume",Logon_Type=10,"Remote Desktop",Logon_Type=11,"Cached",Logon_Type=9,"New Credentials")
|stats count(Security_ID) as "Login Events" by Security_ID, Account_Name, LoginType,host,_time  |sort + Security_ID

In case you want it, here is successful login events. 

index=yourindex
sourcetype="WinEventLog:Security" 
EventCode=4624 
|fillnull value=NULL
| eval Account_Name = mvindex(Account_Name,1) 
| eval Security_ID = mvindex(Security_ID,1) 
| eval LoginType=case(Logon_Type=3,"RPC (not RDP)",Logon_Type=4,"Batch",Logon_Type=5,"Service",Logon_Type=7,"Screen Unlock/Session Resume",Logon_Type=10,"Remote Desktop",Logon_Type=11,"Cached",Logon_Type=9,"New Credentials")
|stats count(Security_ID) as "Login Events" by Security_ID, Account_Name, LoginType,host,_time  |sort + Security_ID
Reply
Solved! Jump to solution

kagamalai
Explorer
‎08-22-2021 08:37 PM

How to use this reports for Linux environment ?

0 Karma
Reply
Solved! Jump to solution

Greendav
Explorer
‎10-23-2018 02:25 PM

What if you were doing this on a Linux Server ?

0 Karma
Reply
Solved! Jump to solution

jackal713
Path Finder
‎06-18-2018 12:56 PM

Tried to give you points for this answer but I don't have enough. That cheat sheet is solid GOLD!

0 Karma
Reply
Solved! Jump to solution

mhuntington
Explorer
‎07-28-2016 10:23 AM

Wow, thank you very much. This looks like a perfect starting point.

0 Karma
Reply
Solved! Jump to solution

JDukeSplunk
Builder
‎08-05-2016 11:48 AM

You're very welcome, glad I could help. If this answered your question please accept the answer (I need the points)

0 Karma
Reply
Solved! Jump to solution

JDukeSplunk
Builder
‎07-28-2016 10:17 AM

If it does not work for you, try just 

 index=yourindex
 sourcetype="WinEventLog:Security" 
 EventCode=4624

Also, if you just want a summary, remove _time from the |stats line.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

We’ve discovered a bug that affected the auto-clear of Synthetic Detectors in the Splunk Synthetic Monitoring ...

Video | Tom’s Smartness Journey Continues

Remember Splunk Community member Tom Kopchak? If you caught the first episode of our Smartness interview ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud? Learn how unique features like ...