SIEM Visualization Example 2: Failed Logon Attempts (Disabled Users)
July 3, 2024
PreviousSIEM Visualization Example 1: Failed Logon Attempts (All Users)NextSIEM Visualization Example 3: Successful RDP Logon Related To Service Accounts
Last updated
July 3, 2024
Last updated
For this task we can create new dashboard
Create visual
Add filter
event.code is 4625 = Failed logon attempt on a Windows system
winlog.event_data.SubStatus is 0xC0000072
Select windows*
Check for user.name.keyword in the left side
Select table type for visualization
Add rows field user.name.keyword number 1000
Add another host.hostname.keyword - 1000
Metric - count
Just save and return
Add another row to see the logon type
winlog.logon.type.keyword - number 1000
