Forum Discussion

Tythadius's avatar
Tythadius
Copper Contributor
Jul 10, 2022

More than 10 failed logins per user and device

Hello I have been working with a query that is very useful but I want it to show me the username of the person as well as the device used. I am using  a pre built query I found to detect more than 10 failed logins. As well I want to be able to search for a specific name of a person in our company. Thanks. Here is the query that I have been using. 

 

// Sample query to detect If there are more then 10 failed logon authentications on high value assets.
// Update DeviceName to reflect your high value assets.
// For questions @MiladMSFT on Twitter or email address removed for privacy reasons
DeviceLogonEvents
| where ActionType == "LogonFailed"
| summarize LogonFailures=count() by DeviceName, LogonType, InitiatingProcessCommandLine, AccountName, InitiatingProcessAccountUpn
| where LogonFailures > 10
| project LogonFailures, DeviceName, LogonType, InitiatingProcessCommandLine, AccountName, InitiatingProcessAccountUpn
| sort by LogonFailures desc
  • madhumohan's avatar
    madhumohan
    Copper Contributor
    The following should help you.

    DeviceLogonEvents
    | where AccountName in~ ("Tythadius", "Tythadius2")
    | where ActionType == "LogonFailed"
    | summarize LogonFailures = count() by AccountName, LogonType
    | where LogonFailures > 10
  • Clive_Watson's avatar
    Clive_Watson
    Bronze Contributor

    Tythadius 

     

    If I remember you have to (and there may be other ways) match the LogonAttempted with the LogonFailure - something like this 

    DeviceLogonEvents
    | where TimeGenerated > ago(12h)
    | where ActionType == "LogonAttempted"
    | summarize LogonFailures=count() by DeviceName, LogonType, InitiatingProcessCommandLine, AccountName, InitiatingProcessAccountUpn, ActionType, 1stTime = TimeGenerated
    | join kind=inner 
    (
        DeviceLogonEvents
        | where ActionType == "LogonFailed"
        | summarize LogonFailures=count() by DeviceName, LogonType, InitiatingProcessCommandLine, AccountName, InitiatingProcessAccountUpn, ActionType, 2ndTime = TimeGenerated
    ) on DeviceName
    // where failed is after attepted and Device and process match 
    | where 2ndTime > 1stTime and DeviceName == DeviceName1 and InitiatingProcessCommandLine == InitiatingProcessCommandLine1
    | summarize arg_max(1stTime,*) by DeviceName 

     

    • Tythadius's avatar
      Tythadius
      Copper Contributor
      Clive_Watson
      Thank you sir. I was wondering if you could make it simpler please? I was thinking more along the lines of
      DeviceLogonEvents
      | where ActionType == "LogonFailed"
      | summarize LogonFailures = count() by Identity = "Tythadius" "Tythadius2", LogonType, AccountName
      | where LogonFailures > 10

      What I am looking for is to be able to search for failed logins using the individuals "Identity" or something that will identify the individuals login. Like the example I use for Tythadius and Tythadius2.
      I got a list of names from a company I work for and I need to be able to upload them individually to a query to create a workbook to identify these individuals failed login.

      Like I said I only got names such as John Doe, so I need to be able to add these individuals to the query to make it work.

      Thank you so much for your help. I greatly appreciate it.

Resources