Created
October 11, 2022 08:59
-
-
Save nichollsc81/dccdaa33fb9bba1e615a697396841198 to your computer and use it in GitHub Desktop.
Details bad logins for given user
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| let timeframe = 1hr; | |
| let userName = '<username without domain>'; | |
| SecurityEvent | |
| | where TimeGenerated >= ago(timeframe) | |
| | where TargetUserName == (userName) | |
| | where EventID == 4625 // bad login | |
| | extend Reason = case( | |
| SubStatus == '0xc000005e', 'No logon servers available to service the logon request', | |
| SubStatus == '0xc0000062', 'Account name is not properly formatted', | |
| SubStatus == '0xc0000064', 'Account name does not exist', | |
| SubStatus == '0xc000006a', 'Incorrect password', SubStatus == '0xc000006d', 'Bad user name or password', | |
| SubStatus == '0xc000006f', 'User logon blocked by account restriction', | |
| SubStatus == '0xc000006f', 'User logon outside of restricted logon hours', | |
| SubStatus == '0xc0000070', 'User logon blocked by workstation restriction', | |
| SubStatus == '0xc0000071', 'Password has expired', | |
| SubStatus == '0xc0000072', 'Account is disabled', | |
| SubStatus == '0xc0000133', 'Clocks between DC and other computer too far out of sync', | |
| SubStatus == '0xc000015b', 'The user has not been granted the requested logon right at this machine', | |
| SubStatus == '0xc0000193', 'Account has expirated', | |
| SubStatus == '0xc0000224', 'User is required to change password at next logon', | |
| SubStatus == '0xc0000234', 'Account is currently locked out', | |
| strcat('Unknown reason substatus: ', SubStatus)) | |
| | order by TimeGenerated desc |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment