search

SIEM Visualization Example 2: Failed Logon Attempts (Disabled Users)

July 3, 2024

For this task we can create new dashboard

Create visual

Add filter

event.code is 4625 = Failed logon attempt on a Windows system

winlog.event_data.SubStatus is 0xC0000072

Select windows*

Check for user.name.keyword in the left side

Select table type for visualization

Add rows field user.name.keyword number 1000

Add another host.hostname.keyword - 1000

Metric - count

Just save and return

Add another row to see the logon type

winlog.logon.type.keyword - number 1000

PreviousSIEM Visualization Example 1: Failed Logon Attempts (All Users)NextSIEM Visualization Example 3: Successful RDP Logon Related To Service Accounts

Last updated