×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
thomasbchurch
New Member
Member since: ‎09-25-2017
‎06-05-2020
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎09-25-2017
View All

Re: How to audit security logs to find password co...

by in Security
‎04-29-2019 09:57 AM
‎04-29-2019 09:57 AM
To narrow down to a possible password in the username field, you need to add the Sub_Status field for a value of "0xc0000064" index=wineventlog EventCode=4625 Sub_Status="0xc0000064" This will return failed logon attempts where "Username does not exist." The problem you have is that you will have a username that doesn't exist (likely a typo of the user's name, but sometimes is a password) and then you will have a valid username. Therefore, your transaction cannot be by the Account_Name field. If your target is a workstations, you can probably remove Account_Name from the transaction. Things will be more difficult if you're working with an RDP server or something else with lots of logons from different users. Explore your data with the addition of the Sub_Status - I think that will get you closer to where you want to be. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM