Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search for failed login attempts?

mhuntington
Explorer
‎07-28-2016 09:52 AM

I hate to say it, but I am a Splunk-newb. I plan on taking a Splunk course, but for now, I am just trying to get my feet wet.

As an introductory project, I am trying to search for failed log-on attempts.

Can someone tell me where to start? Should I look for Windows event codes? Do I need the Splunk Support for Active Directory app, or is there another way?

Reply
1 Solution
Solved! Jump to solution
Solution

JDukeSplunk
Builder
‎07-28-2016 10:13 AM

A good place to start.
http://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/56b36b4d3c44d86cf33341ca/1454598990...

This is the one I use for failed login events. 

index=yourindex
sourcetype="WinEventLog:Security" 
EventCode=4625
|fillnull value=NULL
| eval Account_Name = mvindex(Account_Name,1) 
| eval Security_ID = mvindex(Security_ID,1) 
| eval LoginType=case(Logon_Type=3,"RPC (not RDP)",Logon_Type=4,"Batch",Logon_Type=5,"Service",Logon_Type=7,"Screen Unlock/Session Resume",Logon_Type=10,"Remote Desktop",Logon_Type=11,"Cached",Logon_Type=9,"New Credentials")
|stats count(Security_ID) as "Login Events" by Security_ID, Account_Name, LoginType,host,_time  |sort + Security_ID

In case you want it, here is successful login events. 

index=yourindex
sourcetype="WinEventLog:Security" 
EventCode=4624 
|fillnull value=NULL
| eval Account_Name = mvindex(Account_Name,1) 
| eval Security_ID = mvindex(Security_ID,1) 
| eval LoginType=case(Logon_Type=3,"RPC (not RDP)",Logon_Type=4,"Batch",Logon_Type=5,"Service",Logon_Type=7,"Screen Unlock/Session Resume",Logon_Type=10,"Remote Desktop",Logon_Type=11,"Cached",Logon_Type=9,"New Credentials")
|stats count(Security_ID) as "Login Events" by Security_ID, Account_Name, LoginType,host,_time  |sort + Security_ID

View solution in original post

Reply
Solved! Jump to solution

AaronMoorcroft
Communicator
‎06-21-2018 03:24 AM

For what its worth as I can see this post is old, you could try this - EventCode=4625 | stats count by Account_Name, Workstation_Name, Failure_Reason, Source_Network_Address | search count>5

I have posted this as there are a few similar Splunk answers knocking around but none seemed to work for me or quite gave me what I needed, this will show failed logon attempts over 5 attempts

0 Karma
Reply
Solved! Jump to solution
Solution

JDukeSplunk
Builder
‎07-28-2016 10:13 AM

A good place to start.
http://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/56b36b4d3c44d86cf33341ca/1454598990...

This is the one I use for failed login events. 

index=yourindex
sourcetype="WinEventLog:Security" 
EventCode=4625
|fillnull value=NULL
| eval Account_Name = mvindex(Account_Name,1) 
| eval Security_ID = mvindex(Security_ID,1) 
| eval LoginType=case(Logon_Type=3,"RPC (not RDP)",Logon_Type=4,"Batch",Logon_Type=5,"Service",Logon_Type=7,"Screen Unlock/Session Resume",Logon_Type=10,"Remote Desktop",Logon_Type=11,"Cached",Logon_Type=9,"New Credentials")
|stats count(Security_ID) as "Login Events" by Security_ID, Account_Name, LoginType,host,_time  |sort + Security_ID

In case you want it, here is successful login events. 

index=yourindex
sourcetype="WinEventLog:Security" 
EventCode=4624 
|fillnull value=NULL
| eval Account_Name = mvindex(Account_Name,1) 
| eval Security_ID = mvindex(Security_ID,1) 
| eval LoginType=case(Logon_Type=3,"RPC (not RDP)",Logon_Type=4,"Batch",Logon_Type=5,"Service",Logon_Type=7,"Screen Unlock/Session Resume",Logon_Type=10,"Remote Desktop",Logon_Type=11,"Cached",Logon_Type=9,"New Credentials")
|stats count(Security_ID) as "Login Events" by Security_ID, Account_Name, LoginType,host,_time  |sort + Security_ID
Reply
Solved! Jump to solution

kagamalai
Explorer
‎08-22-2021 08:37 PM

How to use this reports for Linux environment ?

0 Karma
Reply
Solved! Jump to solution

Greendav
Explorer
‎10-23-2018 02:25 PM

What if you were doing this on a Linux Server ?

0 Karma
Reply
Solved! Jump to solution

jackal713
Path Finder
‎06-18-2018 12:56 PM

Tried to give you points for this answer but I don't have enough. That cheat sheet is solid GOLD!

0 Karma
Reply
Solved! Jump to solution

mhuntington
Explorer
‎07-28-2016 10:23 AM

Wow, thank you very much. This looks like a perfect starting point.

0 Karma
Reply
Solved! Jump to solution

JDukeSplunk
Builder
‎08-05-2016 11:48 AM

You're very welcome, glad I could help. If this answered your question please accept the answer (I need the points)

0 Karma
Reply
Solved! Jump to solution

JDukeSplunk
Builder
‎07-28-2016 10:17 AM

If it does not work for you, try just 

 index=yourindex
 sourcetype="WinEventLog:Security" 
 EventCode=4624

Also, if you just want a summary, remove _time from the |stats line.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...