# CrowdStrike Searches **User Login Success** ````splunk-spl index=main sourcetype=UserLogon* event_simpleName=UserLogon event_platform=win | search UserName="USERNAME" ```Add your UserName here``` | eval LogonType=case(LogonType_decimal="2", "Interactive", LogonType_decimal="3", "Network", LogonType_decimal="4", "Batch", LogonType_decimal="5", "Service", LogonType_decimal="6", "Proxy", LogonType_dgecimal="7", "Unlock", LogonType_decimal="8", "Network Cleartext", LogonType_decimal="9", "New Credentials", LogonType_decimal="10", "RDP", LogonType_decimal="11", "Cached Credentials", LogonType_decimal="12", "Auditing", LogonType_decimal="13", "Unlock Workstation") | table _time, UserName, ComputerName, LocalAddressIP4, LogonType, LogonDomain ```` **User Login Failed** ````splunk-spl index=main sourcetype=UserLogon* event_simpleName=UserLogonFailed* event_platform=win SubStatus_decimal!=0 | search UserName="USERNAME" ```Add your UserName here``` | eval SubStatus_decimal=tostring(SubStatus_decimal,"hex") | eval SubStatus_decimal=replace(SubStatus_decimal,"0xC0000064", "User name does not exist") | eval SubStatus_decimal=replace(SubStatus_decimal,"0xC000006A", "User name is correct but the password is wrong") | eval SubStatus_decimal=replace(SubStatus_decimal,"0xC0000234", "User is currently locked out") | eval SubStatus_decimal=replace(SubStatus_decimal,"0xC0000072", "Account is currently disabled") | eval SubStatus_decimal=replace(SubStatus_decimal,"0xC000006F", "User tried to logon outside his day of week or time of day restrictions") | eval SubStatus_decimal=replace(SubStatus_decimal,"0xC0000070", "Workstation restriction, or Authentication Policy Silo violation (look for event ID 4820 on domain controller)") | eval SubStatus_decimal=replace(SubStatus_decimal,"0xC0000193", "Account expiration") | eval SubStatus_decimal=replace(SubStatus_decimal,"0xC0000071", "Expired password") | eval SubStatus_decimal=replace(SubStatus_decimal,"0xC0000133", "Clocks between DC and other computer too far out of sync") | eval SubStatus_decimal=replace(SubStatus_decimal,"0xC0000224", "User is required to change password at next logon") | eval SubStatus_decimal=replace(SubStatus_decimal,"0xC0000225", "Evidently a bug in Windows and not a risk") | eval SubStatus_decimal=replace(SubStatus_decimal,"0xc000015b", "The user has not been granted the requested logon type (aka logon right) at this machine") | eval SubStatus_decimal=replace(SubStatus_decimal,"0xC000006E", "Unknown user name or bad password") | eval LogonType=case(LogonType_decimal="2", "Interactive", LogonType_decimal="3", "Network", LogonType_decimal="4", "Batch", LogonType_decimal="5", "Service", LogonType_decimal="6", "Proxy", LogonType_dgecimal="7", "Unlock", LogonType_decimal="8", "Network Cleartext", LogonType_decimal="9", "New Credentials", LogonType_decimal="10", "RDP", LogonType_decimal="11", "Cached Credentials", LogonType_decimal="12", "Auditing", LogonType_decimal="13", "Unlock Workstation") | table _time, UserName, ComputerName, LocalAddressIP4, LogonType, SubStatus_decimal, LogonDomain | sort - failedCount ```` **RDP to Host** ````splunk-spl event_platform=win event_simpleName=UserLogon RemoteAddressIP4!="" LogonType_decimal=10 | search (UserName="USERNAME" OR ComputerName="COMPUTERNAME") ```Change the user or hostname. If only one is present, use a *.``` | stats dc(RemoteAddressIP4) AS "Unique IPs" count(RemoteAddressIP4) AS "Connection Count" values(RemoteAddressIP4) by aid , ComputerName, UserName, UserSid_readable | sort -"Connection Count" | rename aid AS "Agent ID", values(RemoteAddressIP4) AS "Connecting IP" ```` **RDP from Host** ````splunk-spl index=main event_platform=win sourcetype IN (NetworkConnectIP4*, ProcessRollup2*) (event_simpleName=NetworkConnectIP4 AND RPort=3389) OR event_simpleName=ProcessRollup2 | search (UserName="USERNAME" OR ComputerName="COMPUTERNAME") ```Change the user or hostname. If only one is present, use a *.``` | eval falconPID=coalesce(TargetProcessId_decimal, ContextProcessId_decimal) | stats dc(event_simpleName) as eventCount, earliest(ContextTimeStamp_decimal) as ConnectionTime, values(ComputerName) as ComputerName, values(FileName) as FileName, values(CommandLine) as CommandLine, values(RemoteIP) as RemoteIP, values(RPort) as RemotePort by aid, falconPID | where eventCount > 1 | table ConnectionTime, ComputerName, FileName, falconPID, CommandLine, RemotePort, RemoteIP | convert ctime(ConnectionTime) ```` **SSO Requests** ````splunk-spl index=main sourcetype=SsoApplication* event_simpleName=SsoApplicationAccess | search SourceAccountUserName="USERNAME" ```Change the username``` | rename event_err as "Event Error?" | rename _time as Time | rename SourceAccountUserName as UserName | rename SourceEndpointAddressIP4 as "Source IP" | rename SsoApplicationIdentifier as "SSO Application" | rename ClientUserAgentString as "User Agent" | table Time, UserName, "Source IP", "SSO Application","User Agent", "Event Error?" ```` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://windows.dfirhandbook.com/windows-artifacts/account-usage/crowdstrike-searches.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.