Forum Discussion
More than 10 failed logins per user and device
Hello I have been working with a query that is very useful but I want it to show me the username of the person as well as the device used. I am using a pre built query I found to detect more than 10...
If I remember you have to (and there may be other ways) match the LogonAttempted with the LogonFailure - something like this
DeviceLogonEvents
| where TimeGenerated > ago(12h)
| where ActionType == "LogonAttempted"
| summarize LogonFailures=count() by DeviceName, LogonType, InitiatingProcessCommandLine, AccountName, InitiatingProcessAccountUpn, ActionType, 1stTime = TimeGenerated
| join kind=inner
(
DeviceLogonEvents
| where ActionType == "LogonFailed"
| summarize LogonFailures=count() by DeviceName, LogonType, InitiatingProcessCommandLine, AccountName, InitiatingProcessAccountUpn, ActionType, 2ndTime = TimeGenerated
) on DeviceName
// where failed is after attepted and Device and process match
| where 2ndTime > 1stTime and DeviceName == DeviceName1 and InitiatingProcessCommandLine == InitiatingProcessCommandLine1
| summarize arg_max(1stTime,*) by DeviceName
Clive_Watson
Thank you sir. I was wondering if you could make it simpler please? I was thinking more along the lines of
DeviceLogonEvents
| where ActionType == "LogonFailed"
| summarize LogonFailures = count() by Identity = "Tythadius" "Tythadius2", LogonType, AccountName
| where LogonFailures > 10
What I am looking for is to be able to search for failed logins using the individuals "Identity" or something that will identify the individuals login. Like the example I use for Tythadius and Tythadius2.
I got a list of names from a company I work for and I need to be able to upload them individually to a query to create a workbook to identify these individuals failed login.
Like I said I only got names such as John Doe, so I need to be able to add these individuals to the query to make it work.
Thank you so much for your help. I greatly appreciate it.
Thank you sir. I was wondering if you could make it simpler please? I was thinking more along the lines of
DeviceLogonEvents
| where ActionType == "LogonFailed"
| summarize LogonFailures = count() by Identity = "Tythadius" "Tythadius2", LogonType, AccountName
| where LogonFailures > 10
What I am looking for is to be able to search for failed logins using the individuals "Identity" or something that will identify the individuals login. Like the example I use for Tythadius and Tythadius2.
I got a list of names from a company I work for and I need to be able to upload them individually to a query to create a workbook to identify these individuals failed login.
Like I said I only got names such as John Doe, so I need to be able to add these individuals to the query to make it work.
Thank you so much for your help. I greatly appreciate it.