# SIEM Visualization Example 2: Failed Logon Attempts (Disabled Users)

<figure><img src="https://3402520177-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F6s691pQpzN41rNo5Bip4%2Fuploads%2FeMKeuOdGL3fXXjKKGMEe%2Fimage.png?alt=media&#x26;token=5d2110cd-b33b-473d-8031-5268f8f26e97" alt=""><figcaption></figcaption></figure>

For this task we can create new dashboard

<figure><img src="https://3402520177-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F6s691pQpzN41rNo5Bip4%2Fuploads%2F8axLijNpzld3Lh0tkm5D%2Fimage.png?alt=media&#x26;token=4e805820-05ae-4a59-80c8-1dc9d8ae7d38" alt=""><figcaption></figcaption></figure>

Create visual

<figure><img src="https://3402520177-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F6s691pQpzN41rNo5Bip4%2Fuploads%2FALKK1ZudL5XyOO9HfOET%2Fimage.png?alt=media&#x26;token=3bdba716-f605-4d89-a12c-18d6da28ef6e" alt=""><figcaption></figcaption></figure>

Add filter

event.code is 4625 = Failed logon attempt on a Windows system

winlog.event\_data.SubStatus is 0xC0000072

<figure><img src="https://3402520177-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F6s691pQpzN41rNo5Bip4%2Fuploads%2Fjs6Ln9NvJyvwUjJfceAl%2Fimage.png?alt=media&#x26;token=760b2ed4-b3b0-479f-8188-f81507ad4a81" alt=""><figcaption></figcaption></figure>

<figure><img src="https://3402520177-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F6s691pQpzN41rNo5Bip4%2Fuploads%2Fw8Ud08MAfczwsNdmZ4wV%2Fimage.png?alt=media&#x26;token=9794feec-5e33-4e61-b45c-6f6c766f1799" alt=""><figcaption></figcaption></figure>

Select windows\*

Check for user.name.keyword in the left side

<figure><img src="https://3402520177-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F6s691pQpzN41rNo5Bip4%2Fuploads%2FybXkz9MbvD18VKfCl8Rv%2Fimage.png?alt=media&#x26;token=e054da80-9884-42d0-8203-0ca68992605d" alt=""><figcaption></figcaption></figure>

Select table type for visualization

<figure><img src="https://3402520177-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F6s691pQpzN41rNo5Bip4%2Fuploads%2F0Yk7c1JIkvIKZqJPpz6y%2Fimage.png?alt=media&#x26;token=c254a282-86cf-4f6c-aeda-551d3f81dfbc" alt=""><figcaption></figcaption></figure>

Add rows field user.name.keyword number 1000

<figure><img src="https://3402520177-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F6s691pQpzN41rNo5Bip4%2Fuploads%2Fd04HdKpiLlLBd9m1MfFC%2Fimage.png?alt=media&#x26;token=d3c6bf49-ac73-45e5-b0b8-807a45b5cb6c" alt=""><figcaption></figcaption></figure>

Add another host.hostname.keyword - 1000

Metric - count&#x20;

<figure><img src="https://3402520177-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F6s691pQpzN41rNo5Bip4%2Fuploads%2FG9aSxmQMV3sqbDes3ZG0%2Fimage.png?alt=media&#x26;token=a68a298a-29af-4e13-afbc-86b5a9a4ebd3" alt=""><figcaption></figcaption></figure>

Just save and return

<figure><img src="https://3402520177-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F6s691pQpzN41rNo5Bip4%2Fuploads%2FtBzYN21Z5USWiWibIfGz%2Fimage.png?alt=media&#x26;token=ef987bf5-7cfe-4939-92b8-7262d9c69fbc" alt=""><figcaption></figcaption></figure>

Add another row to see the logon type

winlog.logon.type.keyword - number 1000

<figure><img src="https://3402520177-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F6s691pQpzN41rNo5Bip4%2Fuploads%2FDPSGzc9x1cHAoE2DZMpp%2Fimage.png?alt=media&#x26;token=10600207-f7c4-4ebd-8f4b-ad18c0e80512" alt=""><figcaption></figcaption></figure>

<figure><img src="https://3402520177-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F6s691pQpzN41rNo5Bip4%2Fuploads%2F9hv5Nun5B8iM9ehDIR3S%2Fimage.png?alt=media&#x26;token=9c7d9a9c-c4cf-448e-ae06-7413657476c1" alt=""><figcaption></figcaption></figure>