KQL Search

Query Details

AD Failed Logons

Query

# Active Directory - Failed logons

## Query Information

### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1078.002 | Valid Accounts: Domain Accounts | https://attack.mitre.org/techniques/T1078/002/ |

### Description

Run the below query to review failed logon activities within Active Directory

#### References

### Microsoft 365 Defender

```kql
// Active Directory
IdentityLogonEvents
| where isnotempty(FailureReason )
| where ActionType <> "LogonSuccess"
| where Application == "Active Directory"
// | summarize count() by AccountName
// | sort by count_
```

Explanation

This query looks for failed logon activities in Active Directory by filtering out successful logins and checking for a non-empty failure reason. It focuses on reviewing logon events in Active Directory that did not result in a successful login.

Details

Alex Verboon

Released: June 24, 2024

Tables

IdentityLogonEvents

Keywords

ActiveDirectory,FailureReason,ActionType,Application,AccountName,count_

Operators

whereisnotemptywherewherewhereisnotemptywherewherewhere//|summarizecount()bysortby

KQL Search

AD Failed Logons

Query

Explanation

Details

Actions