More than 10 failed logins per user and device

New Contributor

Hello I have been working with a query that is very useful but I want it to show me the username of the person as well as the device used. I am using  a pre built query I found to detect more than 10 failed logins. As well I want to be able to search for a specific name of a person in our company. Thanks. Here is the query that I have been using. 

 

// Sample query to detect If there are more then 10 failed logon authentications on high value assets.
// Update DeviceName to reflect your high value assets.
// For questions @MiladMSFT on Twitter or email address removed for privacy reasons
DeviceLogonEvents
| where ActionType == "LogonFailed"
| summarize LogonFailures=count() by DeviceName, LogonType, InitiatingProcessCommandLine, AccountName, InitiatingProcessAccountUpn
| where LogonFailures > 10
| project LogonFailures, DeviceName, LogonType, InitiatingProcessCommandLine, AccountName, InitiatingProcessAccountUpn
| sort by LogonFailures desc
3 Replies

@Tythadius 

 

If I remember you have to (and there may be other ways) match the LogonAttempted with the LogonFailure - something like this 

DeviceLogonEvents
| where TimeGenerated > ago(12h)
| where ActionType == "LogonAttempted"
| summarize LogonFailures=count() by DeviceName, LogonType, InitiatingProcessCommandLine, AccountName, InitiatingProcessAccountUpn, ActionType, 1stTime = TimeGenerated
| join kind=inner 
(
    DeviceLogonEvents
    | where ActionType == "LogonFailed"
    | summarize LogonFailures=count() by DeviceName, LogonType, InitiatingProcessCommandLine, AccountName, InitiatingProcessAccountUpn, ActionType, 2ndTime = TimeGenerated
) on DeviceName
// where failed is after attepted and Device and process match 
| where 2ndTime > 1stTime and DeviceName == DeviceName1 and InitiatingProcessCommandLine == InitiatingProcessCommandLine1
| summarize arg_max(1stTime,*) by DeviceName 

 

@Clive_Watson
Thank you sir. I was wondering if you could make it simpler please? I was thinking more along the lines of
DeviceLogonEvents
| where ActionType == "LogonFailed"
| summarize LogonFailures = count() by Identity = "Tythadius" "Tythadius2", LogonType, AccountName
| where LogonFailures > 10

What I am looking for is to be able to search for failed logins using the individuals "Identity" or something that will identify the individuals login. Like the example I use for Tythadius and Tythadius2.
I got a list of names from a company I work for and I need to be able to upload them individually to a query to create a workbook to identify these individuals failed login.

Like I said I only got names such as John Doe, so I need to be able to add these individuals to the query to make it work.

Thank you so much for your help. I greatly appreciate it.
The following should help you.

DeviceLogonEvents
| where AccountName in~ ("Tythadius", "Tythadius2")
| where ActionType == "LogonFailed"
| summarize LogonFailures = count() by AccountName, LogonType
| where LogonFailures > 10