Forum Discussion
Failed Logins
Hi All,
I am tyring to do up a script that will list out the following details if there is a failed login more than 3 times
This is my script
SigninLogs
| where ResultDescription contains "Invalid username or password or Invalid on-premise username or password."
| where ResultType contains "50126"
| summarize count() by Identity, ResultDescription , IPAddress
End Result
How should the script be amened such that I can search or 3 failed logins within the span of 5 mins?
I have been trying for weeks but no luck.
Any help is much appreciated!
2 Replies
- Was this helpful @alez881 ?
SigninLogs | where ResultDescription contains "Invalid username or password or Invalid on-premise username or password." | where ResultType contains "50126" | summarize count() by Identity, ResultDescription , IPAddress, bin(TimeGenerated,5m) | where count_ > 3You need to use bin() to set the 5mins bin() - Azure Data Explorer | Microsoft Learn
