Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search for failed login attempts?

mhuntington
Explorer
‎07-28-2016 09:52 AM

I hate to say it, but I am a Splunk-newb. I plan on taking a Splunk course, but for now, I am just trying to get my feet wet.

As an introductory project, I am trying to search for failed log-on attempts.

Can someone tell me where to start? Should I look for Windows event codes? Do I need the Splunk Support for Active Directory app, or is there another way?

Reply
1 Solution
Solved! Jump to solution
Solution

JDukeSplunk
Builder
‎07-28-2016 10:13 AM

A good place to start.
http://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/56b36b4d3c44d86cf33341ca/1454598990...

This is the one I use for failed login events. 

index=yourindex
sourcetype="WinEventLog:Security" 
EventCode=4625
|fillnull value=NULL
| eval Account_Name = mvindex(Account_Name,1) 
| eval Security_ID = mvindex(Security_ID,1) 
| eval LoginType=case(Logon_Type=3,"RPC (not RDP)",Logon_Type=4,"Batch",Logon_Type=5,"Service",Logon_Type=7,"Screen Unlock/Session Resume",Logon_Type=10,"Remote Desktop",Logon_Type=11,"Cached",Logon_Type=9,"New Credentials")
|stats count(Security_ID) as "Login Events" by Security_ID, Account_Name, LoginType,host,_time  |sort + Security_ID

In case you want it, here is successful login events. 

index=yourindex
sourcetype="WinEventLog:Security" 
EventCode=4624 
|fillnull value=NULL
| eval Account_Name = mvindex(Account_Name,1) 
| eval Security_ID = mvindex(Security_ID,1) 
| eval LoginType=case(Logon_Type=3,"RPC (not RDP)",Logon_Type=4,"Batch",Logon_Type=5,"Service",Logon_Type=7,"Screen Unlock/Session Resume",Logon_Type=10,"Remote Desktop",Logon_Type=11,"Cached",Logon_Type=9,"New Credentials")
|stats count(Security_ID) as "Login Events" by Security_ID, Account_Name, LoginType,host,_time  |sort + Security_ID

View solution in original post

Reply
Solved! Jump to solution

AaronMoorcroft
Communicator
‎06-21-2018 03:24 AM

For what its worth as I can see this post is old, you could try this - EventCode=4625 | stats count by Account_Name, Workstation_Name, Failure_Reason, Source_Network_Address | search count>5

I have posted this as there are a few similar Splunk answers knocking around but none seemed to work for me or quite gave me what I needed, this will show failed logon attempts over 5 attempts

0 Karma
Reply
Solved! Jump to solution
Solution

JDukeSplunk
Builder
‎07-28-2016 10:13 AM

A good place to start.
http://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/56b36b4d3c44d86cf33341ca/1454598990...

This is the one I use for failed login events. 

index=yourindex
sourcetype="WinEventLog:Security" 
EventCode=4625
|fillnull value=NULL
| eval Account_Name = mvindex(Account_Name,1) 
| eval Security_ID = mvindex(Security_ID,1) 
| eval LoginType=case(Logon_Type=3,"RPC (not RDP)",Logon_Type=4,"Batch",Logon_Type=5,"Service",Logon_Type=7,"Screen Unlock/Session Resume",Logon_Type=10,"Remote Desktop",Logon_Type=11,"Cached",Logon_Type=9,"New Credentials")
|stats count(Security_ID) as "Login Events" by Security_ID, Account_Name, LoginType,host,_time  |sort + Security_ID

In case you want it, here is successful login events. 

index=yourindex
sourcetype="WinEventLog:Security" 
EventCode=4624 
|fillnull value=NULL
| eval Account_Name = mvindex(Account_Name,1) 
| eval Security_ID = mvindex(Security_ID,1) 
| eval LoginType=case(Logon_Type=3,"RPC (not RDP)",Logon_Type=4,"Batch",Logon_Type=5,"Service",Logon_Type=7,"Screen Unlock/Session Resume",Logon_Type=10,"Remote Desktop",Logon_Type=11,"Cached",Logon_Type=9,"New Credentials")
|stats count(Security_ID) as "Login Events" by Security_ID, Account_Name, LoginType,host,_time  |sort + Security_ID
Reply
Solved! Jump to solution

kagamalai
Explorer
‎08-22-2021 08:37 PM

How to use this reports for Linux environment ?

0 Karma
Reply
Solved! Jump to solution

Greendav
Explorer
‎10-23-2018 02:25 PM

What if you were doing this on a Linux Server ?

0 Karma
Reply
Solved! Jump to solution

jackal713
Path Finder
‎06-18-2018 12:56 PM

Tried to give you points for this answer but I don't have enough. That cheat sheet is solid GOLD!

0 Karma
Reply
Solved! Jump to solution

mhuntington
Explorer
‎07-28-2016 10:23 AM

Wow, thank you very much. This looks like a perfect starting point.

0 Karma
Reply
Solved! Jump to solution

JDukeSplunk
Builder
‎08-05-2016 11:48 AM

You're very welcome, glad I could help. If this answered your question please accept the answer (I need the points)

0 Karma
Reply
Solved! Jump to solution

JDukeSplunk
Builder
‎07-28-2016 10:17 AM

If it does not work for you, try just 

 index=yourindex
 sourcetype="WinEventLog:Security" 
 EventCode=4624

Also, if you just want a summary, remove _time from the |stats line.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...