Password Non Compliance Windows

The following splunk queries will return results for failed attempts to change passwords. This is likely a result of users not meeting password requirements. Be sure to have the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ Windows 2003 and Older:

sourcetype="WinEventLog:Security" EventCode=627 Type="Failure Audit"| eval Date=strftime(_time, "%Y/%m/%d") | stats count by Date, Target_Account_Name, host | sort - Date

Windows 2008 and Newer:

sourcetype="WinEventLog:Security" EventCode=4723  Keywords="Audit Failure" | eval Date=strftime(_time, "%Y/%m/%d") | rex "Target\sAccount:\s+Security\sID:.*\\\(?<account>\S+)" | stats count by Date, account, host | sort - Date