Skip to main content

SIEM - Search for Failed logins

This Playbook is part of the Common Playbooks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook searches for failed logon on a specific user by querying logs from different sources.

Supported Integrations: -Splunk -QRadar -Azure Log Analytics.


This playbook uses the following sub-playbooks, integrations, and scripts.


This playbook does not use any sub-playbooks.


This playbook does not use any integrations.


  • CountArraySize
  • Set


  • qradar-search-retrieve-events
  • azure-log-analytics-execute-query
  • splunk-search

Playbook Inputs#

NameDescriptionDefault ValueRequired
SplunkIndexSplunk's index name in which to search. Default is "*" - All.*Optional
SplunkEarliestTimeThe earliest time for the Splunk search query.-1dOptional
SplunkLatestTimeThe latest time for the Splunk search query.nowOptional
QRadarSearchTimeThe Search Time for the QRadar search query. for example: Last 1 daysLast 1 daysOptional
AzureSearchTimeThe Search Time for the Azure Log Analytics search query. for example: ago(1d)ago(1d)Optional
UsernameUser name.Optional

Playbook Outputs#

NumOfSiemFailedLogonNumber of failed login from Siem.unknown
QRadar.SearchEventsThe result of the QRadar search.unknown
Splunk.ResultThe results of the Splunk search. The results are a JSON array, in which each item is a Splunk event.unknown
AzureFailedLogonLogsThe result of the Azure Log Analytics search.unknown

Playbook Image#

SIEM - Search for Failed logins