KQL Search

Query Details

HomeAI ToolsDevice Query

Login Failure But Password Change Required

Query

//Users with login failure due but required to change password at next logon

SecurityEvent
| where EventID == 4624 and SubStatus == "0XC0000224"

Explanation

This query is looking for security events where users have failed to log in because they need to change their password at their next login.

Details

Rod Trent profile picture

Rod Trent

Released: November 4, 2020

Tables

SecurityEvent

Keywords

Users,Login,Failure,Password,Logon

Operators

whereand====

Actions