Data Source: Windows Event Log Security 4625

Date: 2025-07-10

ID: 365a02c2-7d18-4baf-b76e-d90c20bbe6ed

Author: Patrick Bareiss, Splunk

Description

Logs an event when an account fails to log on to a system.

Details

Property	Value
Source	`XmlWinEventLog:Security`
Sourcetype	`XmlWinEventLog`
Separator	EventCode

Supported Apps

Splunk Add-on for Microsoft Windows (version 9.0.1)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">ActivityID</span>
  
  <span class="pill kill-chain">AuthenticationPackageName</span>
  
  <span class="pill kill-chain">Caller_Domain</span>
  
  <span class="pill kill-chain">Caller_User_Name</span>
  
  <span class="pill kill-chain">Channel</span>
  
  <span class="pill kill-chain">Computer</span>
  
  <span class="pill kill-chain">Error_Code</span>
  
  <span class="pill kill-chain">EventCode</span>
  
  <span class="pill kill-chain">EventData_Xml</span>
  
  <span class="pill kill-chain">EventID</span>
  
  <span class="pill kill-chain">EventRecordID</span>
  
  <span class="pill kill-chain">FailureReason</span>
  
  <span class="pill kill-chain">Guid</span>
  
  <span class="pill kill-chain">IpAddress</span>
  
  <span class="pill kill-chain">IpPort</span>
  
  <span class="pill kill-chain">KeyLength</span>
  
  <span class="pill kill-chain">Keywords</span>
  
  <span class="pill kill-chain">Level</span>
  
  <span class="pill kill-chain">LmPackageName</span>
  
  <span class="pill kill-chain">LogonProcessName</span>
  
  <span class="pill kill-chain">LogonType</span>
  
  <span class="pill kill-chain">Logon_ID</span>
  
  <span class="pill kill-chain">Logon_Type</span>
  
  <span class="pill kill-chain">Name</span>
  
  <span class="pill kill-chain">Opcode</span>
  
  <span class="pill kill-chain">ProcessID</span>
  
  <span class="pill kill-chain">ProcessId</span>
  
  <span class="pill kill-chain">ProcessName</span>
  
  <span class="pill kill-chain">RecordNumber</span>
  
  <span class="pill kill-chain">Source_Port</span>
  
  <span class="pill kill-chain">Source_Workstation</span>
  
  <span class="pill kill-chain">Status</span>
  
  <span class="pill kill-chain">SubStatus</span>
  
  <span class="pill kill-chain">Sub_Status</span>
  
  <span class="pill kill-chain">SubjectDomainName</span>
  
  <span class="pill kill-chain">SubjectLogonId</span>
  
  <span class="pill kill-chain">SubjectUserName</span>
  
  <span class="pill kill-chain">SubjectUserSid</span>
  
  <span class="pill kill-chain">SystemTime</span>
  
  <span class="pill kill-chain">System_Props_Xml</span>
  
  <span class="pill kill-chain">TargetDomainName</span>
  
  <span class="pill kill-chain">TargetUserName</span>
  
  <span class="pill kill-chain">TargetUserSid</span>
  
  <span class="pill kill-chain">Target_Domain</span>
  
  <span class="pill kill-chain">Target_User_Name</span>
  
  <span class="pill kill-chain">Task</span>
  
  <span class="pill kill-chain">ThreadID</span>
  
  <span class="pill kill-chain">TransmittedServices</span>
  
  <span class="pill kill-chain">Version</span>
  
  <span class="pill kill-chain">WorkstationName</span>
  
  <span class="pill kill-chain">action</span>
  
  <span class="pill kill-chain">app</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dest_nt_domain</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">dvc_nt_host</span>
  
  <span class="pill kill-chain">event_id</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">id</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">name</span>
  
  <span class="pill kill-chain">process</span>
  
  <span class="pill kill-chain">process_id</span>
  
  <span class="pill kill-chain">process_name</span>
  
  <span class="pill kill-chain">process_path</span>
  
  <span class="pill kill-chain">product</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">session_id</span>
  
  <span class="pill kill-chain">signature</span>
  
  <span class="pill kill-chain">signature_id</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">src_ip</span>
  
  <span class="pill kill-chain">src_port</span>
  
  <span class="pill kill-chain">status</span>
  
  <span class="pill kill-chain">subject</span>
  
  <span class="pill kill-chain">ta_windows_action</span>
  
  <span class="pill kill-chain">ta_windows_status</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::action</span>
  
  <span class="pill kill-chain">tag::app</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">user</span>
  
  <span class="pill kill-chain">user_group</span>
  
  <span class="pill kill-chain">vendor</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
</div>

Example Log

1<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4625</EventID><Version>0</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8010000000000000</Keywords><TimeCreated SystemTime='2023-03-22T20:25:15.594676400Z'/><EventRecordID>367348</EventRecordID><Correlation ActivityID='{6C54D781-5C05-0000-8CD7-546C055CD901}'/><Execution ProcessID='588' ThreadID='3564'/><Channel>Security</Channel><Computer>ar-win-8.attackrange.local</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NULL SID</Data><Data Name='SubjectUserName'>-</Data><Data Name='SubjectDomainName'>-</Data><Data Name='SubjectLogonId'>0x0</Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>Administrator</Data><Data Name='TargetDomainName'>builtin</Data><Data Name='Status'>0xc000006d</Data><Data Name='FailureReason'>%%2313</Data><Data Name='SubStatus'>0xc000006a</Data><Data Name='LogonType'>3</Data><Data Name='LogonProcessName'>NtLmSsp </Data><Data Name='AuthenticationPackageName'>NTLM</Data><Data Name='WorkstationName'>-</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x0</Data><Data Name='ProcessName'>-</Data><Data Name='IpAddress'>10.0.1.30</Data><Data Name='IpPort'>59450</Data></EventData></Event>

Source: GitHub | Version: 3