Did a little research and built the following query to display failed Remote Desktop Attempts by geo location on a map:
source=WinEventLog:Security sourcetype=WinEventLog:security Logon_Type=10 EventCode=4625 | eval Date=strftime(_time, "%Y/%m/%d") | rex "Failed:\s+.*\s+Account\sName:\s+(?\S+)\s" | stats count by Date, TargetAccount, Failure_Reason, Source_Network_Address| iplocation Source_Network_Address | geostats count by Source_Network_Address | sort -count
To view failed attempts by date, login, reason, and source ip I found the following query:
source=WinEventLog:Security sourcetype=WinEventLog:security Logon_Type=10 EventCode=4625 | eval Date=strftime(_time, "%Y/%m/%d") | rex "Failed:\s+.*\s+Account\sName:\s+(?\S+)\s" | stats count by Date, TargetAccount, Failure_Reason, Source_Network_Address
... View more