Forum Discussion
TomWechsler
Apr 03, 2024MVP
Active Directory Advanced Threat Hunting - Tracing the cause of account lockouts and password errors
Dear Microsoft Active Directory friends,
In this article we are going on a "search for clues" :-). In the life of an IT administrator, you have certainly often had to reset a user's passwor...
Joachim_Otahal
Jun 01, 2024Iron Contributor
In my experience with large security logs adding "ProviderName" speeds up the query significantly:
-FilterHashtable @{ProviderName="Microsoft-Windows-Security-Auditing";LogName="Security";ID=4625}
If only failed logins are needed I add "Keywords=4503599627370496" aka "Audit Fail":
-FilterHashtable @{ProviderName="Microsoft-Windows-Security-Auditing";LogName="Security";ID=4625;Keywords=4503599627370496}
Only -FilterXPath syntax is still faster, and the "[Provider[@Name='Microsoft-Windows-Security-Auditing']]" helps speeding that up too. But I had not yet the need to use -FilterXPath for those 4740/4625 security events, only for NTLM logging where the amount of log entries is huge.