KQL Search

Query Details

HomeAI ToolsDevice Query

Security Event Unusual Authentication Failure Status

Query

// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/1bc92ddf-b79e-413c-bbaa-99a5281a6c90
let query_frequency = 1h;
let query_period = 14d;
let _ExcludedComputers = dynamic();
SecurityEvent
| where TimeGenerated > ago(query_period)
| where EventID == 4625 and not(IpAddress in ("", "-"))
| summarize arg_min(TimeGenerated, *) by Computer, EventID, AuthenticationPackageName, FailureReason, Status, SubStatus, LogonType
| where TimeGenerated > ago(query_frequency)
| where not(Computer has_any (_ExcludedComputers))
| project-reorder
    TimeGenerated,
    Computer,
    EventID,
    Activity,
    AccountType,
    Account,
    IpAddress,
    LogonType,
    LogonTypeName,
    AuthenticationPackageName,
    FailureReason,
    Status,
    SubStatus,
    WorkstationName

Explanation

This KQL (Kusto Query Language) query is designed to analyze security events related to failed login attempts (EventID 4625) over a specified period. Here's a simplified breakdown of what the query does:

  1. Define Parameters:

    • query_frequency is set to 1 hour, meaning the query focuses on events from the last hour.
    • query_period is set to 14 days, meaning the query considers events from the last 14 days.
    • _ExcludedComputers is an empty list, which can be used to specify computers to exclude from the results.

  2. Filter Events:

    • The query retrieves security events (from the SecurityEvent table) that occurred within the last 14 days.
    • It specifically looks for events with EventID 4625, which indicates a failed login attempt.
    • It excludes events where the IpAddress is empty or a placeholder ("", "-").

  3. Summarize Events:

    • It summarizes the data to find the earliest occurrence (arg_min) of each unique combination of Computer, EventID, AuthenticationPackageName, FailureReason, Status, SubStatus, and LogonType.

  4. Filter Recent Events:

    • After summarizing, it further filters the results to include only those events that occurred in the last hour.

  5. Exclude Specific Computers:

    • It excludes any events from computers listed in _ExcludedComputers, though currently, this list is empty.

  6. Reorder Columns:

    • Finally, it reorders the columns in the output to display specific fields in a preferred order, such as TimeGenerated, Computer, EventID, and others related to the login attempt details.

Overall, this query helps identify and analyze recent failed login attempts on computers, allowing for quick detection of potential security issues.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: November 14, 2024

Tables

SecurityEvent

Keywords

SecurityEventTimeGeneratedEventIDComputerAuthenticationPackageNameFailureReasonStatusSubStatusLogonTypeActivityAccountTypeAccountIpAddressLogonTypeNameWorkstationName

Operators

letdynamic|where>ago==andnotinsummarizearg_minbyhas_anyproject-reorder

Actions