This Splunk Search Query will indicate any user who attempted to login to a disabled account.
(Tested only on Windows 7 / Server 2008 and newer Windows logs).
source="WinEventLog:security" EventCode=4625 (Sub_Status="0xc0000072" OR Sub_Status="0xC0000072") Security_ID!="NULL SID" Account_Name!="*$" | eval Date=strftime(_time, "%Y/%m/%d")| rex "Which\sLogon\sFailed:\s+\S+\s\S+\s+\S+\s+Account\sName:\s+(?<facct>\S+)" | eval Date=strftime(_time, "%Y/%m/%d") | stats count by Date, facct, host, Keywords | rename facct as "Target Account" host as "Host" Keywords as "Status" count as "Count"
Need to change the rename section to read, starting with the pipe:
| rename facct as “Target Account” host as “Host” Keywords as “Status” count as “Count”
what does “facct” indicate? Wasn’t able to find any information on it
faact is the failed account value extracted by the rex command