Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
| where EventID in (4625, 4624) and AccountType == 'User'
| summarize Attempts = count(), Failed = countif(EventID == 4625), Succeeded = countif(EventID == 4654) by Account
| where EventID == 4625
| extend Reason = case(
SubStatus == '0xc0000064', 'User name does not exist',
SubStatus == '0xc000005e', 'No logon servers available to service the logon request',
SubStatus == '0xc0000062', 'Account name is not properly formatted',
SubStatus == '0xc0000064', 'Account name does not exist',
SubStatus == '0xc000006a', 'Incorrect password',
SubStatus == '0xc000006d', 'Bad user name or password',
SubStatus == '0xc000006f', 'User logon blocked by account restriction',
SubStatus == '0xc000006f', 'User logon outside of restricted logon hours',
SubStatus == '0xc0000070', 'User logon blocked by workstation restriction',
SubStatus == '0xc0000071', 'Password has expired',
SubStatus == '0xc0000072', 'Account is disabled',
SubStatus == '0xc0000133', 'Clocks between DC and other computer too far out of sync',
SubStatus == '0xc000015b', 'The user has not been granted the requested logon right at this machine',
SubStatus == '0xc0000193', 'Account has expirated',
SubStatus == '0xc0000224', 'User is required to change password at next logon',
SubStatus == '0xc0000234', 'Account is currently locked out', strcat('Unknown reason substatus: ', SubStatus))
| where AccountType == "User"
| summarize count() by Reason, Computer
| evaluate pivot(Reason, sum(count_))
| where AccountType == 'User'
| where EventID in (4624, 4625)
| summarize Unique_Accounts = dcount(Account), Attempts = count(), Succeeded=countif(EventID == 4624), Failed=countif(EventID == 4625) by IpAddress
| where Failed > 0
| order by Succeeded>0, todouble(Succeeded)/Attempts asc, Attempts desc
| project IP = IpAddress, Succeeded, Attempts, Unique_Accounts
| take 10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment