Ad slot: top
GoSplunk SPL + dashboard repository
Log in Register

SPL

Failed Attempt to Login to a Disabled Account

WinEventLog:Security

Description

Submitted by SplunkNinja

This Splunk Search Query will indicate any user who attempted to login to a disabled account. (Tested only on Windows 7 / Server 2008 and newer Windows logs).
12 2 
source="WinEventLog:security" EventCode=4625 (Sub_Status="0xc0000072" OR Sub_Status="0xC0000072") Security_ID!="NULL SID" Account_Name!="*$" | eval Date=strftime(_time, "%Y/%m/%d")| rex "Which\sLogon\sFailed:\s+\S+\s\S+\s+\S+\s+Account\sName:\s+(?<facct>\S+)" | eval Date=strftime(_time, "%Y/%m/%d") | stats count by Date, facct, host, Keywords | rename facct as "Target Account" host as "Host" Keywords as "Status" count as "Count"

Comments

3 total

HO
hokiefans
12/7/2018

Need to change the rename section to read, starting with the pipe:\r\n| rename facct as \"Target Account\" host as \"Host\" Keywords as \"Status\" count as \"Count\"

GL
glitch
11/29/2020

what does \"facct\" indicate? Wasn't able to find any information on it

LW
lw
12/24/2020

faact is the failed account value extracted by the rex command

Leave a comment

You must log in to post a comment.

Ad slot: bottom