This splunk query will return results for failed logon attempts to accounts that do not exist. This has been tested and confirmed on Windows Server 2008 and newer machines: source=”WinEventLog:security” sourcetype=”WinEventLog:Security” EventCode=4625 Sub_Status=0xC0000064 |eval Date=strftime(_time, “%Y/%m/%d”) |rex “Which\sLogon\sFailed:\s+Security\sID:\s+\S.*\s+\w+\s\w+\S\s.(?<uacct>\S.*)” | stats count by Date, uacct, host | rename count as “Attempts” | sort – Attempts
