Tracking Failed Windows Logons for Threat Hunting

eric_capuano · February 17, 2025, 9:22pm

Description of the query:
Find all failed logons, and return specifically the SrcIP, LogonType, Username, and SrcHostname of the logons. Useful for developing baselines and threat hunting for exposed systems being brute-forced.

Query:

-24h | plat==windows | WEL | event/EVENT/System/EventID is '4625' | event/EVENT/EventData/IpAddress as SrcIP event/EVENT/EventData/LogonType as LogonType event/EVENT/EventData/TargetUserName as Username event/EVENT/EventData/WorkstationName as SrcHostname

Topic	Replies	Views
Quickly Find Remote Desktop Logons LCQL Queries	12	February 17, 2025
Detecting Suspicious LSASS Access + Template String Example Detection & Response Rules detection , windows	9	February 18, 2025
Developing A Baseline For Sensitive Process Access LCQL Queries windows , lcql	7	February 18, 2025
Is rundll32.exe Executed Without Expected Dll Path? LCQL Queries lcql	3	February 17, 2025
Detecting Unauthorized Removable Media Detection & Response Rules detection , windows	7	March 7, 2025

Tracking Failed Windows Logons for Threat Hunting

Related topics