Query Details

Active Directory - Failed logons

AD Failed Logons

Query

// Active Directory
IdentityLogonEvents
| where isnotempty(FailureReason )
| where ActionType <> "LogonSuccess"
| where Application == "Active Directory"
// | summarize count() by AccountName
// | sort by count_

About this query

Active Directory - Failed logons

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1078.002Valid Accounts: Domain Accountshttps://attack.mitre.org/techniques/T1078/002/

Description

Run the below query to review failed logon activities within Active Directory

References

Microsoft 365 Defender

Explanation

This KQL (Kusto Query Language) query is designed to analyze failed logon attempts within an Active Directory environment. Here's a simple breakdown of what the query does:

  1. Data Source: The query is run against the IdentityLogonEvents table, which contains logon event data.

  2. Filter for Failures: It filters the data to include only those logon events where there is a FailureReason, indicating that the logon attempt was unsuccessful.

  3. Exclude Successful Logons: It further refines the results by excluding any events where the ActionType is "LogonSuccess", ensuring that only failed logon attempts are considered.

  4. Focus on Active Directory: The query specifically looks at logon attempts related to the "Active Directory" application.

  5. Commented Out Code: There are additional lines in the query that are commented out. If uncommented, these lines would:

    • Summarize the number of failed logon attempts by AccountName, providing a count of failures per account.
    • Sort the results by the count of failed attempts, likely to identify accounts with the most failed logon attempts.

Overall, this query helps in identifying and reviewing failed logon activities in Active Directory, which can be useful for security monitoring and detecting potential unauthorized access attempts.

Details

Alex Verboon profile picture

Alex Verboon

Released: April 16, 2026

Tables

IdentityLogonEvents

Keywords

ActiveDirectoryIdentityLogonEventsAccountNameApplicationFailureReasonActionType

Operators

|whereisnotempty<>==

MITRE Techniques

Actions

GitHub