Hi Splunkers,
I'm performing some searches to monitor Windows user failure attempts. The failure itself is not a problem, I know the proper windows event code to monitor failures attempts; the focal point is that in every of this try I have to add a particular condition to check.
Between these searches, two makes me some difficults: I have to monitor login failures performed by an expired account, while in another one I have to track attempts by disabled account.
In my scenario, where I have the Windows addon installed on my environment, how can I track the 2 above scenarios?
I mean the Splunk Security Essentials (SSE) app has use cases that may fit your needs. Whether or not they're also part of ES I'm not sure. SSE is a free app.
The Splunk Security Essentials app has examples for both of those.
Hi richgalloway, do you mean that between the preconfigured CS of Enterprise Security there are 2 that fit my needs?
I mean the Splunk Security Essentials (SSE) app has use cases that may fit your needs. Whether or not they're also part of ES I'm not sure. SSE is a free app.