Active Directory - Failed logons
AD Failed Logons
Query
// Active Directory
IdentityLogonEvents
| where isnotempty(FailureReason )
| where ActionType <> "LogonSuccess"
| where Application == "Active Directory"
// | summarize count() by AccountName
// | sort by count_About this query
Active Directory - Failed logons
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1078.002 | Valid Accounts: Domain Accounts | https://attack.mitre.org/techniques/T1078/002/ |
Description
Run the below query to review failed logon activities within Active Directory
References
Microsoft 365 Defender
Explanation
This KQL (Kusto Query Language) query is designed to analyze failed logon attempts within an Active Directory environment. Here's a simple breakdown of what the query does:
-
Data Source: The query is run against the
IdentityLogonEventstable, which contains logon event data. -
Filter for Failures: It filters the data to include only those logon events where there is a
FailureReason, indicating that the logon attempt was unsuccessful. -
Exclude Successful Logons: It further refines the results by excluding any events where the
ActionTypeis "LogonSuccess", ensuring that only failed logon attempts are considered. -
Focus on Active Directory: The query specifically looks at logon attempts related to the "Active Directory" application.
-
Commented Out Code: There are additional lines in the query that are commented out. If uncommented, these lines would:
- Summarize the number of failed logon attempts by
AccountName, providing a count of failures per account. - Sort the results by the count of failed attempts, likely to identify accounts with the most failed logon attempts.
- Summarize the number of failed logon attempts by
Overall, this query helps in identifying and reviewing failed logon activities in Active Directory, which can be useful for security monitoring and detecting potential unauthorized access attempts.
