Failed Logon Attempts – Windows

The following Splunk query will show a timechart of failed logon attempts per host: source=”WinEventLog:security” EventCode=4625 | timechart span=1h count by host The following Splunk query will show a detailed table of failed logon attempts per host and user with 5 minute chunks/blocks of time, as well as show a sparkline (mini timechart) within the […]

Continue Reading →

Failed Attempt to Initiate Remote Desktop Session

This splunk query will return any failed attempts initiated by users to launch an RDP (remote desktop) session in a Windows environment. Ensure the Splunk App for Windows is installed grab it here:¬†https://apps.splunk.com/app/742/ Windows Server 2008 and Newer: source=WinEventLog:Security sourcetype=WinEventLog:security Logon_Type=10 EventCode=4625 | eval Date=strftime(_time, “%Y/%m/%d”) | rex “Failed:\s+.*\s+Account\sName:\s+(?<TargetAccount>\S+)\s” | stats count by Date, TargetAccount, […]

Continue Reading →