The following Splunk Search Query will return all users who have failed to logon to the Splunk Web console. This query will also include an average (from eventstats).
|
1 |
index=_audit action="login attempt" info=failed | timechart count(user) as Failed_Attempts| eventstats avg(Failed_Attempts) as Average |
This Splunk search will show any failed login attempt and graphically overlay an average value.
|
1 |
sourcetype="WinEventLog:Security" (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10) (EventCode=4625 OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539) | timechart count(EventCode) as count | eventstats avg(count) as Average | eval average=round(average,0) | rename count as "Failed Logons" |
This splunk query will return results for failed logon attempts to accounts that do not exist. This has been tested and confirmed on Windows Server 2008 and newer machines:
|
1 |
 source="WinEventLog:security" sourcetype="WinEventLog:Security" EventCode=4625 Sub_Status=0xC0000064 |eval Date=strftime(_time, "%Y/%m/%d") |rex "Which\sLogon\sFailed:\s+Security\sID:\s+\S.*\s+\w+\s\w+\S\s.(?<uacct>\S.*)" | stats count by Date, uacct, host | rename count as "Attempts" | sort - Attempts |
Splunk query for all failed logon attempts within a windows environment.
|
1 |
sourcetype="WinEventLog:Security" ("EventCode=4625") OR ("EventCode=529" OR "EventCode=530" OR "EventCode=531" OR "EventCode=532" OR "EventCode=533" OR "EventCode=534" OR "EventCode=535" OR "EventCode=536" OR "EventCode=537" OR "EventCode=539") |
