SPL
Failed Authentication to Non-existing Accounts
6 0
Description
This splunk query will return results for failed logon attempts to accounts that do not exist. This has been tested and confirmed on Windows Server 2008 and newer machines:
source="WinEventLog:security" sourcetype="WinEventLog:Security" EventCode=4625 Sub_Status=0xC0000064 |eval Date=strftime(_time, "%Y/%m/%d") |rex "Which\sLogon\sFailed:\s+Security\sID:\s+\S.*\s+\w+\s\w+\S\s.(?<uacct>\S.*)" | stats count by Date, uacct, host | rename count as "Attempts" | sort - Attempts
Comments
0 total
Be the first to comment on this SPL.
Leave a comment
You must log in to post a comment.