List failed logons logged in Active Directory with additional attributes for investigation and troubleshooting. Comparable to Windows security log event ID 4625.
Prerequisites for using this KQL query
The Microsoft Defender for Identity Domain controller Sensor needs to be installed on your domain controllers. Perform query using Microsoft Defender > Hunting > Advanced hunting.
KQL query to get Active Directory failed logons
IdentityLogonEvents
| where Application == "Active Directory"
| where ActionType == "LogonFailed"
The default result set includes columns Timestamp, ActionType, Application, LogonType, Protocol, FailureReason, AccountName, AccountDomain, AccountUpn, AccountSid, AccountObjectId, AccountDisplayName, DeviceName, IPAddress, Port, DestinationDeviceName, DestinationIPAddress, DestinationPort, TargetDeviceName, ISP, ReportId, and AdditionalFields (array).
Deconstructing the KQL query
Read on to understand HOW the query above works.
The goal of this query is to retrieve information about failed logon events related to Active Directory. This information can be valuable for troubleshooting security issues or identifying potential threats in your network environment.
IdentityLogonEvents
This is the name of the table we’re querying. It contains information about authentication activities related to both on-premises Active Directory (captured by Microsoft Defender for Identity) and authentication activities related to Microsoft online services (captured by Microsoft Defender for Cloud Apps).
| where Application == "Active Directory"
In this case, we’re only interested in events where the Application field is equal to “Active Directory”. This ensures that we’re focusing on logon events related to Active Directory.
| where ActionType == "LogonFailed"
Filtering on ActionType narrows the result set down to failed logon attempts only.
Reference
- Log Analytics table: IdentityDirectoryEvents | learn.microsoft.com