Ad slot: top
GoSplunk SPL + dashboard repository
Log in Register

SPL

Failed Versus Successful Logon Attempts

WinEventLog:Security

Description

Submitted by SplunkNinja

This Splunk search query example will return results indicating failed vs successful login attempts in a Windows environment:
7 7 
source="WinEventLog:security" (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10) (EventCode=528 OR EventCode=540 OR EventCode=4624 OR EventCode=4625 OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539) | eval status=case(EventCode=528, "Successful Logon", EventCode=540, "Successful Logon", EventCode=4624, "Successful Logon", EventCode=4625, "Failed Logon", EventCode=529, "Failed Logon", EventCode=530, "Failed Logon", EventCode=531, "Failed Logon", EventCode=532, "Failed Logon", EventCode=533, "Failed Logon", EventCode=534, "Failed Logon", EventCode=535, "Failed Logon", EventCode=536, "Failed Logon", EventCode=537, "Failed Logon", EventCode=539, "Failed Logon") | stats count by status | sort - count

Comments

3 total

AL
Alex
12/22/2017

Hi,\r\n\r\n Can you select specific hosts for this query? can you help me with an example?

BR
Brute Force: Anatomy of a Cyber Attack, Varonis – Secure Sense
4/8/2022

[…] events, success and failure are flagged within the event. The following Splunk search (from the GoSplunk search repository), which I’ve used to identify failed vs. successful Windows logins, […]

MA
Marcio Vinicius Neli
10/11/2022

add your index and hosts fields at the beginning of the search:\r\n\r\nexample: index=\"main\" host=\"*dc1*\"

Leave a comment

You must log in to post a comment.

Ad slot: bottom