I have the Splunk Windows Infrastructure app installed and when I run this search below:
eventtype=msad-failed-user-logons host="*"
I get this returned below, but I'm not understanding how the search result is associated to eventtype=msad-failed-user-logons. The below shows EventType=0. What does msad-failed-user-logons mean and how come it doesn't show that in the search result?
09/19/2017 03:42:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4776
EventType=0
Type=Information
ComputerName=xxxxx.domain.local
TaskCategory=Credential Validation
OpCode=Info
RecordNumber=9555000
Keywords=Audit Failure
Message=The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: someuser1
Source Workstation: WORKSTATION
Error Code: 0xC0000071
Collapse
host=somehost source=WinEventLog:Security sourcetype=WinEventLog:Security
↧