Query Details
Failed User Account Login
Query
Use Case: Identifying failed login attempts on Windows systems within the last 7 days for security analysis and breach detection.
Query:
WindowsEvent('Security', 7d)
| where tostring(EventId) == '4625'Explanation
The query is looking for failed login attempts on Windows systems within the last 7 days. It filters the results to only include events with an EventId of 4625, which typically indicates a failed login attempt. This query is useful for security analysis and detecting potential breaches.
Details
Ugur Koc
Released: February 4, 2024
Tables
WindowsEvent
Keywords
WindowsEvent,Security,EventId,4625
Operators
WindowsEventwheretostring==