Failed Attempt to Initiate Remote Desktop Session

This splunk query will return any failed attempts initiated by users to launch an RDP (remote desktop) session in a Windows environment. Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ Windows Server 2008 and Newer:

source=WinEventLog:Security sourcetype=WinEventLog:security Logon_Type=10 EventCode=4625 | eval Date=strftime(_time, "%Y/%m/%d") | rex "Failed:\s+.*\s+Account\sName:\s+(?<TargetAccount>\S+)\s" | stats count by Date, TargetAccount, Failure_Reason, host

Windows Server 2003 and Older:

source=WinEventLog:Security sourcetype=WinEventLog:security Logon_Type=10 (EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539) | eval Date=strftime(_time, "%Y/%m/%d") | stats count by Date, User_Name, Reason, host