Splunk Search

How to search for failed login attempts?

mhuntington
Explorer

I hate to say it, but I am a Splunk-newb. I plan on taking a Splunk course, but for now, I am just trying to get my feet wet.

As an introductory project, I am trying to search for failed log-on attempts.

Can someone tell me where to start? Should I look for Windows event codes? Do I need the Splunk Support for Active Directory app, or is there another way?

1 Solution

JDukeSplunk
Builder

A good place to start.
http://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/56b36b4d3c44d86cf33341ca/1454598990...

This is the one I use for failed login events.

index=yourindex
sourcetype="WinEventLog:Security" 
EventCode=4625
|fillnull value=NULL
| eval Account_Name = mvindex(Account_Name,1) 
| eval Security_ID = mvindex(Security_ID,1) 
| eval LoginType=case(Logon_Type=3,"RPC (not RDP)",Logon_Type=4,"Batch",Logon_Type=5,"Service",Logon_Type=7,"Screen Unlock/Session Resume",Logon_Type=10,"Remote Desktop",Logon_Type=11,"Cached",Logon_Type=9,"New Credentials")
|stats count(Security_ID) as "Login Events" by Security_ID, Account_Name, LoginType,host,_time  |sort + Security_ID

In case you want it, here is successful login events.

index=yourindex
sourcetype="WinEventLog:Security" 
EventCode=4624 
|fillnull value=NULL
| eval Account_Name = mvindex(Account_Name,1) 
| eval Security_ID = mvindex(Security_ID,1) 
| eval LoginType=case(Logon_Type=3,"RPC (not RDP)",Logon_Type=4,"Batch",Logon_Type=5,"Service",Logon_Type=7,"Screen Unlock/Session Resume",Logon_Type=10,"Remote Desktop",Logon_Type=11,"Cached",Logon_Type=9,"New Credentials")
|stats count(Security_ID) as "Login Events" by Security_ID, Account_Name, LoginType,host,_time  |sort + Security_ID

View solution in original post

AaronMoorcroft
Communicator

For what its worth as I can see this post is old, you could try this - EventCode=4625 | stats count by Account_Name, Workstation_Name, Failure_Reason, Source_Network_Address | search count>5

I have posted this as there are a few similar Splunk answers knocking around but none seemed to work for me or quite gave me what I needed, this will show failed logon attempts over 5 attempts

0 Karma

JDukeSplunk
Builder

A good place to start.
http://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/56b36b4d3c44d86cf33341ca/1454598990...

This is the one I use for failed login events.

index=yourindex
sourcetype="WinEventLog:Security" 
EventCode=4625
|fillnull value=NULL
| eval Account_Name = mvindex(Account_Name,1) 
| eval Security_ID = mvindex(Security_ID,1) 
| eval LoginType=case(Logon_Type=3,"RPC (not RDP)",Logon_Type=4,"Batch",Logon_Type=5,"Service",Logon_Type=7,"Screen Unlock/Session Resume",Logon_Type=10,"Remote Desktop",Logon_Type=11,"Cached",Logon_Type=9,"New Credentials")
|stats count(Security_ID) as "Login Events" by Security_ID, Account_Name, LoginType,host,_time  |sort + Security_ID

In case you want it, here is successful login events.

index=yourindex
sourcetype="WinEventLog:Security" 
EventCode=4624 
|fillnull value=NULL
| eval Account_Name = mvindex(Account_Name,1) 
| eval Security_ID = mvindex(Security_ID,1) 
| eval LoginType=case(Logon_Type=3,"RPC (not RDP)",Logon_Type=4,"Batch",Logon_Type=5,"Service",Logon_Type=7,"Screen Unlock/Session Resume",Logon_Type=10,"Remote Desktop",Logon_Type=11,"Cached",Logon_Type=9,"New Credentials")
|stats count(Security_ID) as "Login Events" by Security_ID, Account_Name, LoginType,host,_time  |sort + Security_ID

View solution in original post

kagamalai
Explorer

How to use this reports for Linux environment ?

0 Karma

Greendav
Explorer

What if you were doing this on a Linux Server ?

0 Karma

jackal713
Path Finder

Tried to give you points for this answer but I don't have enough. That cheat sheet is solid GOLD!

0 Karma

mhuntington
Explorer

Wow, thank you very much. This looks like a perfect starting point.

0 Karma

JDukeSplunk
Builder

You're very welcome, glad I could help. If this answered your question please accept the answer (I need the points)

0 Karma

JDukeSplunk
Builder

If it does not work for you, try just

 index=yourindex
 sourcetype="WinEventLog:Security" 
 EventCode=4624 

Also, if you just want a summary, remove _time from the |stats line.

0 Karma