Security Event Unusual Authentication Failure Status
Query
// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/1bc92ddf-b79e-413c-bbaa-99a5281a6c90
let query_frequency = 1h;
let query_period = 14d;
let _ExcludedComputers = dynamic();
SecurityEvent
| where TimeGenerated > ago(query_period)
| where EventID == 4625 and not(IpAddress in ("", "-"))
| summarize arg_min(TimeGenerated, *) by Computer, EventID, AuthenticationPackageName, FailureReason, Status, SubStatus, LogonType
| where TimeGenerated > ago(query_frequency)
| where not(Computer has_any (_ExcludedComputers))
| project-reorder
TimeGenerated,
Computer,
EventID,
Activity,
AccountType,
Account,
IpAddress,
LogonType,
LogonTypeName,
AuthenticationPackageName,
FailureReason,
Status,
SubStatus,
WorkstationNameExplanation
This KQL (Kusto Query Language) query is designed to analyze security events related to failed login attempts (EventID 4625) over a specified period. Here's a simplified breakdown of what the query does:
-
Define Parameters:
query_frequencyis set to 1 hour, meaning the query focuses on events from the last hour.query_periodis set to 14 days, meaning the query considers events from the last 14 days._ExcludedComputersis an empty list, which can be used to specify computers to exclude from the results.
-
Filter Events:
- The query retrieves security events (from the
SecurityEventtable) that occurred within the last 14 days. - It specifically looks for events with EventID 4625, which indicates a failed login attempt.
- It excludes events where the
IpAddressis empty or a placeholder ("", "-").
- The query retrieves security events (from the
-
Summarize Events:
- It summarizes the data to find the earliest occurrence (
arg_min) of each unique combination ofComputer,EventID,AuthenticationPackageName,FailureReason,Status,SubStatus, andLogonType.
- It summarizes the data to find the earliest occurrence (
-
Filter Recent Events:
- After summarizing, it further filters the results to include only those events that occurred in the last hour.
-
Exclude Specific Computers:
- It excludes any events from computers listed in
_ExcludedComputers, though currently, this list is empty.
- It excludes any events from computers listed in
-
Reorder Columns:
- Finally, it reorders the columns in the output to display specific fields in a preferred order, such as
TimeGenerated,Computer,EventID, and others related to the login attempt details.
- Finally, it reorders the columns in the output to display specific fields in a preferred order, such as
Overall, this query helps identify and analyze recent failed login attempts on computers, allowing for quick detection of potential security issues.
Details

Jose Sebastián Canós
Released: November 14, 2024
Tables
SecurityEvent
Keywords
SecurityEventTimeGeneratedEventIDComputerAuthenticationPackageNameFailureReasonStatusSubStatusLogonTypeActivityAccountTypeAccountIpAddressLogonTypeNameWorkstationName
Operators
letdynamic|where>ago==andnotinsummarizearg_minbyhas_anyproject-reorder