Failed Logon Attempts

Failed Logon Attempts – Windows

The following Splunk query will show a timechart of failed logon attempts per host:

source="WinEventLog:security" EventCode=4625 
| timechart span=1h count by host

The following Splunk query will show a detailed table of failed logon attempts per host and user with 5 minute chunks/blocks of time, as well as show a sparkline (mini timechart) within the table itself.

source="WinEventLog:security" EventCode=4625
| eval Workstation_Name=lower(Workstation_Name)
| eval host=lower(host) 
| eval hammer=_time 
| bucket span=5m hammer 
| stats count sparkline by user host, hammer, Workstation_Name
| rename hammer as "5 minute blocks" host as "Target Host" Workstation_Name as "Source Host"
| convert ctime("5 minute blocks")

#Admin Notes – This query has replaced the original query on GoSplunk due to changes in the way Splunk displays windows data as well as eliminated pre-Windows 2008 EventCodes.

Splunk Query Repository

Failed Logon Attempts – Windows

Leave A Comment? Click here to cancel reply.

Splunk Query Repository

Failed Logon Attempts – Windows

Related Queries

DLL Serach Oreder Hijacking (mitre : T1574.001)

Search for disabled AD accounts that have been re-enabled

Zerologon Detection (CVE-2020-1472)

Leave A Comment? Click here to cancel reply.