List of Legitimate Account Names in Windows

This splunk query will list all successful logins by account name for a given time range. This query will work on a variety of Windows Operating systems to include XP, 2003, Vista, 2008, 7, 8, and server 2012. I’ve tested in some capacity in Windows 10 for some of my queries, so far they appear to work the same as previous versions.

This query relies on the Splunk App for Windows, grab it here:


source="WinEventLog:security" (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10) (EventCode=528 OR EventCode=540 OR EventCode=4624) | rex "New\sLogon:\s+.*\s+Account\sName:\s+(?<UserName>\S+)" | eval Account=coalesce(User_Name,UserName) | stats count by Account | sort - count
Share This:


  1. sree

    A quick question please…how to get the list of of all default users in the Network ( windows linux and unix environment etc)

Leave A Comment?