cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

More than 10 failed logins per user and device

Tythadius
Copper Contributor

‎Jul 10 2022 01:10 AM

‎Jul 10 2022 01:10 AM

More than 10 failed logins per user and device

Hello I have been working with a query that is very useful but I want it to show me the username of the person as well as the device used. I am using  a pre built query I found to detect more than 10 failed logins. As well I want to be able to search for a specific name of a person in our company. Thanks. Here is the query that I have been using. 

 

// Sample query to detect If there are more then 10 failed logon authentications on high value assets.
// Update DeviceName to reflect your high value assets.
// For questions @MiladMSFT on Twitter or email address removed for privacy reasons
DeviceLogonEvents
| where ActionType == "LogonFailed"
| summarize LogonFailures=count() by DeviceName, LogonType, InitiatingProcessCommandLine, AccountName, InitiatingProcessAccountUpn
| where LogonFailures > 10
| project LogonFailures, DeviceName, LogonType, InitiatingProcessCommandLine, AccountName, InitiatingProcessAccountUpn
| sort by LogonFailures desc
Labels:
3,804 Views
0 Likes
3 Replies
Reply
3 Replies
Clive_Watson

‎Jul 11 2022 02:57 AM

‎Jul 11 2022 02:57 AM

Re: More than 10 failed logins per user and device

@Tythadius 

 

If I remember you have to (and there may be other ways) match the LogonAttempted with the LogonFailure - something like this 

DeviceLogonEvents
| where TimeGenerated > ago(12h)
| where ActionType == "LogonAttempted"
| summarize LogonFailures=count() by DeviceName, LogonType, InitiatingProcessCommandLine, AccountName, InitiatingProcessAccountUpn, ActionType, 1stTime = TimeGenerated
| join kind=inner 
(
    DeviceLogonEvents
    | where ActionType == "LogonFailed"
    | summarize LogonFailures=count() by DeviceName, LogonType, InitiatingProcessCommandLine, AccountName, InitiatingProcessAccountUpn, ActionType, 2ndTime = TimeGenerated
) on DeviceName
// where failed is after attepted and Device and process match 
| where 2ndTime > 1stTime and DeviceName == DeviceName1 and InitiatingProcessCommandLine == InitiatingProcessCommandLine1
| summarize arg_max(1stTime,*) by DeviceName

 

0 Likes
Reply
Tythadius

‎Jul 28 2022 08:03 PM

‎Jul 28 2022 08:03 PM

Re: More than 10 failed logins per user and device

@Clive_Watson
Thank you sir. I was wondering if you could make it simpler please? I was thinking more along the lines of
DeviceLogonEvents
| where ActionType == "LogonFailed"
| summarize LogonFailures = count() by Identity = "Tythadius" "Tythadius2", LogonType, AccountName
| where LogonFailures > 10

What I am looking for is to be able to search for failed logins using the individuals "Identity" or something that will identify the individuals login. Like the example I use for Tythadius and Tythadius2.
I got a list of names from a company I work for and I need to be able to upload them individually to a query to create a workbook to identify these individuals failed login.

Like I said I only got names such as John Doe, so I need to be able to add these individuals to the query to make it work.

Thank you so much for your help. I greatly appreciate it.
0 Likes
Reply
madhumohan

‎Sep 20 2022 06:45 AM

‎Sep 20 2022 06:45 AM

Re: More than 10 failed logins per user and device

The following should help you.

DeviceLogonEvents
| where AccountName in~ ("Tythadius", "Tythadius2")
| where ActionType == "LogonFailed"
| summarize LogonFailures = count() by AccountName, LogonType
| where LogonFailures > 10
0 Likes
Reply