Query Details
Login Failure Unknown User Nameor Bad Password
Query
//Users with login failure due to Unknown user name or bad password SecurityEvent | where EventID == 4625 and FailureReason == "%%2313" | distinct Account
Explanation
This query is looking for security events where users have failed to log in due to an unknown username or a bad password. It then retrieves the distinct (unique) user accounts that experienced this issue.
Details
Rod Trent
Released: November 4, 2020
Tables
SecurityEvent
Keywords
SecurityEvent,EventID,FailureReason,Account
Operators
where==anddistinct