PixelRobots/AD_Audit_log_analytics

## AD_Audit_log_analytics
SecurityEvent
| where EventID in (4625, 4624) and AccountType == 'User'
| summarize Attempts = count(), Failed = countif(EventID == 4625), Succeeded = countif(EventID == 4654) by Account

SecurityEvent
| where EventID == 4625
| extend Reason = case(
SubStatus == '0xc0000064', 'User name does not exist',
SubStatus == '0xc000005e', 'No logon servers available to service the logon request',
SubStatus == '0xc0000062', 'Account name is not properly formatted',
SubStatus == '0xc0000064', 'Account name does not exist',
SubStatus == '0xc000006a', 'Incorrect password',
SubStatus == '0xc000006d', 'Bad user name or password',
SubStatus == '0xc000006f', 'User logon blocked by account restriction',
SubStatus == '0xc000006f', 'User logon outside of restricted logon hours',
SubStatus == '0xc0000070', 'User logon blocked by workstation restriction',
SubStatus == '0xc0000071', 'Password has expired',
SubStatus == '0xc0000072', 'Account is disabled',
SubStatus == '0xc0000133', 'Clocks between DC and other computer too far out of sync',
SubStatus == '0xc000015b', 'The user has not been granted the requested logon right at this machine',
SubStatus == '0xc0000193', 'Account has expirated',
SubStatus == '0xc0000224', 'User is required to change password at next logon',
SubStatus == '0xc0000234', 'Account is currently locked out', strcat('Unknown reason substatus: ', SubStatus))
| where AccountType == "User"
| summarize count() by Reason, Computer
| evaluate pivot(Reason, sum(count_))

SecurityEvent
| where AccountType == 'User'
| where EventID in (4624, 4625)
| summarize Unique_Accounts = dcount(Account), Attempts = count(), Succeeded=countif(EventID == 4624), Failed=countif(EventID == 4625) by IpAddress
| where Failed > 0
| order by Succeeded>0, todouble(Succeeded)/Attempts asc, Attempts desc
| project IP = IpAddress, Succeeded, Attempts, Unique_Accounts
| take 10
	SecurityEvent
	\| where EventID in (4625, 4624) and AccountType == 'User'
	\| summarize Attempts = count(), Failed = countif(EventID == 4625), Succeeded = countif(EventID == 4654) by Account

	SecurityEvent
	\| where EventID == 4625
	\| extend Reason = case(
	SubStatus == '0xc0000064', 'User name does not exist',
	SubStatus == '0xc000005e', 'No logon servers available to service the logon request',
	SubStatus == '0xc0000062', 'Account name is not properly formatted',
	SubStatus == '0xc0000064', 'Account name does not exist',
	SubStatus == '0xc000006a', 'Incorrect password',
	SubStatus == '0xc000006d', 'Bad user name or password',
	SubStatus == '0xc000006f', 'User logon blocked by account restriction',
	SubStatus == '0xc000006f', 'User logon outside of restricted logon hours',
	SubStatus == '0xc0000070', 'User logon blocked by workstation restriction',
	SubStatus == '0xc0000071', 'Password has expired',
	SubStatus == '0xc0000072', 'Account is disabled',
	SubStatus == '0xc0000133', 'Clocks between DC and other computer too far out of sync',
	SubStatus == '0xc000015b', 'The user has not been granted the requested logon right at this machine',
	SubStatus == '0xc0000193', 'Account has expirated',
	SubStatus == '0xc0000224', 'User is required to change password at next logon',
	SubStatus == '0xc0000234', 'Account is currently locked out', strcat('Unknown reason substatus: ', SubStatus))
	\| where AccountType == "User"
	\| summarize count() by Reason, Computer
	\| evaluate pivot(Reason, sum(count_))

	SecurityEvent
	\| where AccountType == 'User'
	\| where EventID in (4624, 4625)
	\| summarize Unique_Accounts = dcount(Account), Attempts = count(), Succeeded=countif(EventID == 4624), Failed=countif(EventID == 4625) by IpAddress
	\| where Failed > 0
	\| order by Succeeded>0, todouble(Succeeded)/Attempts asc, Attempts desc
	\| project IP = IpAddress, Succeeded, Attempts, Unique_Accounts
	\| take 10