The authentication failure logs only can be found in signon history.
But the TA only allows to get the inputs on User_Activity.
Can we create another inputs for signon history?
Please vote for some features here: https://community.workday.com/brainstorms?search-brainstorm=splunk&f%5B0%5D=product%3A90&f%5B1%5D=pr...
It will be not processed probably without this unfortunately...