📊 Dashboard Screenshots

Failed Login Attempts (EventCode 4625)

Failed Logons Trend

Top Accounts with Failed Logons

Failed Logons Over Time by Workstation

Failed Logons by Hour (Last 7 Days)

Top Failure Reasons (Last 30 Days)

Successful Logons (4624) – Daily Trend

Account Lockouts (4740) – Daily Trend

🔍 SPL Queries

1) Failed Login Attempts (EventCode 4625) — Daily Count

index=winlogs sourcetype=WinEventLog:Security EventCode=4625
| timechart span=1d count AS Failed_Logons

2) Failed Logons (Trend) — Hourly

index=winlogs sourcetype=WinEventLog:Security EventCode=4625
| timechart span=1h count AS Failed_Logons

3) Top Accounts with Failed Logons (Last 30 Days)

index=winlogs sourcetype=WinEventLog:Security EventCode=4625 earliest=-30d
| stats count AS Failed_Count by Account_Name
| sort - Failed_Count
| head 10

4) Failed Logons Over Time by Workstation

index=winlogs sourcetype=WinEventLog:Security EventCode=4625
| fillnull value="(unknown)" Workstation_Name
| timechart span=1h count BY Workstation_Name

5) Failed Logons by Hour (Last 7 Days)

index=winlogs sourcetype=WinEventLog:Security EventCode=4625 earliest=-7d
| eval hour=strftime(_time,"%H")
| stats count AS Failed_Count by hour
| sort hour

6) Top Failure Reasons for Failed Logons (Last 30 Days)

index=winlogs sourcetype=WinEventLog:Security EventCode=4625 earliest=-30d
| fillnull value="(unspecified)" Failure_Reason
| stats count AS Failed_Count by Failure_Reason
| sort - Failed_Count
| head 10

7) Successful Logons (4624) — Daily Trend

index=winlogs sourcetype=WinEventLog:Security EventCode=4624
| timechart span=1d count AS Successful_Logons

8) Account Lockouts (4740) — Daily Trend

index=winlogs sourcetype=WinEventLog:Security EventCode=4740
| timechart span=1d count AS Account_Lockouts