SPL
Failed Authentication to Non-existing Accounts
Description
This splunk query will return results for failed logon attempts to accounts that do not exist. This has been tested and confirmed on Windows Server 2008 and newer machines:
6 0
source="WinEventLog:security" sourcetype="WinEventLog:Security" EventCode=4625 Sub_Status=0xC0000064 |eval Date=strftime(_time, "%Y/%m/%d") |rex "Which\sLogon\sFailed:\s+Security\sID:\s+\S.*\s+\w+\s\w+\S\s.(?<uacct>\S.*)" | stats count by Date, uacct, host | rename count as "Attempts" | sort - Attempts
Comments
0 total
Be the first to comment on this SPL.
Leave a comment
You must log in to post a comment.