Query Details
Excessivefailedlogins
Query
SecurityEvent | where TimeGenerated < startofday(ago(1d)) | where EventID in (4625) and Status=="0xc000006d" | summarize min(TimeGenerated), EventCount = count() by bin_at(TimeGenerated, 1h,now()) | order by TimeGenerated asc
Explanation
This query is looking at a dataset called SecurityEvent. It filters the events that occurred before the start of the previous day. It then further filters the events by EventID 4625 and Status 0xc000006d. The query then groups the events by hour and counts the number of events in each hour. Finally, it orders the results by the time the events were generated in ascending order.
Details
Rod Trent
Released: May 29, 2020
Tables
SecurityEvent
Keywords
SecurityEvent,TimeGenerated,EventID,Status,EventCount
Operators
where<startofdayagoin==summarizemincountbybin_at1hnoworder byasc