Splunk Search

How to track Windows Login failure from expired or disabled account

SIEMStudent
Path Finder

Hi Splunkers,

I'm performing some searches to monitor Windows user failure attempts. The failure itself is not a problem, I know the proper windows event code to monitor failures attempts; the focal point is that in every of this try I have to add a particular condition to check.
Between these searches, two makes me some difficults: I have to monitor login failures performed by an expired account, while in another one I have to track attempts by disabled account.
In my scenario, where I have the Windows addon installed on my environment, how can I track the 2 above scenarios?

Labels (2)
Tags (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

I mean the Splunk Security Essentials (SSE) app has use cases that may fit your needs.  Whether or not they're also part of ES I'm not sure.  SSE is a free app.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

The Splunk Security Essentials app has examples for both of those.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

SIEMStudent
Path Finder

Hi richgalloway, do you mean that between the preconfigured CS of Enterprise Security there are 2 that fit my needs?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I mean the Splunk Security Essentials (SSE) app has use cases that may fit your needs.  Whether or not they're also part of ES I'm not sure.  SSE is a free app.

---
If this reply helps you, an upvote would be appreciated.
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first Splunk Love Special, and it's gone phenomenally well, so we're doing it again, ...