Forum Discussion
Tythadius
Jul 10, 2022Copper Contributor
More than 10 failed logins per user and device
Hello I have been working with a query that is very useful but I want it to show me the username of the person as well as the device used. I am using a pre built query I found to detect more than 10 failed logins. As well I want to be able to search for a specific name of a person in our company. Thanks. Here is the query that I have been using.
// Sample query to detect If there are more then 10 failed logon authentications on high value assets.
// Update DeviceName to reflect your high value assets.
// For questions @MiladMSFT on Twitter or email address removed for privacy reasons
DeviceLogonEvents
| where ActionType == "LogonFailed"
| summarize LogonFailures=count() by DeviceName, LogonType, InitiatingProcessCommandLine, AccountName, InitiatingProcessAccountUpn
| where LogonFailures > 10
| project LogonFailures, DeviceName, LogonType, InitiatingProcessCommandLine, AccountName, InitiatingProcessAccountUpn
| sort by LogonFailures desc
- madhumohanCopper ContributorThe following should help you.
DeviceLogonEvents
| where AccountName in~ ("Tythadius", "Tythadius2")
| where ActionType == "LogonFailed"
| summarize LogonFailures = count() by AccountName, LogonType
| where LogonFailures > 10 - Clive_WatsonBronze Contributor
If I remember you have to (and there may be other ways) match the LogonAttempted with the LogonFailure - something like this
DeviceLogonEvents | where TimeGenerated > ago(12h) | where ActionType == "LogonAttempted" | summarize LogonFailures=count() by DeviceName, LogonType, InitiatingProcessCommandLine, AccountName, InitiatingProcessAccountUpn, ActionType, 1stTime = TimeGenerated | join kind=inner ( DeviceLogonEvents | where ActionType == "LogonFailed" | summarize LogonFailures=count() by DeviceName, LogonType, InitiatingProcessCommandLine, AccountName, InitiatingProcessAccountUpn, ActionType, 2ndTime = TimeGenerated ) on DeviceName // where failed is after attepted and Device and process match | where 2ndTime > 1stTime and DeviceName == DeviceName1 and InitiatingProcessCommandLine == InitiatingProcessCommandLine1 | summarize arg_max(1stTime,*) by DeviceName
- TythadiusCopper ContributorClive_Watson
Thank you sir. I was wondering if you could make it simpler please? I was thinking more along the lines of
DeviceLogonEvents
| where ActionType == "LogonFailed"
| summarize LogonFailures = count() by Identity = "Tythadius" "Tythadius2", LogonType, AccountName
| where LogonFailures > 10
What I am looking for is to be able to search for failed logins using the individuals "Identity" or something that will identify the individuals login. Like the example I use for Tythadius and Tythadius2.
I got a list of names from a company I work for and I need to be able to upload them individually to a query to create a workbook to identify these individuals failed login.
Like I said I only got names such as John Doe, so I need to be able to add these individuals to the query to make it work.
Thank you so much for your help. I greatly appreciate it.