11 строки
555 B
Plaintext
11 строки
555 B
Plaintext
// Sample query to detect If there are more then 3 failed logon authentications on high value assets.
|
|
// Update DeviceName to reflect your high value assets.
|
|
// For questions @MiladMSFT on Twitter or milad.aslaner@microsoft.com
|
|
DeviceLogonEvents
|
|
| where DeviceName in ("DeviceName1","DeviceName2")
|
|
| where ActionType == "LogonFailed"
|
|
| summarize LogonFailures=count() by DeviceName, LogonType, InitiatingProcessCommandLine
|
|
| where LogonFailures > 3
|
|
| project LogonFailures, DeviceName, LogonType, InitiatingProcessCommandLine
|
|
| sort by LogonFailures desc
|