Browse Live Discover and Response Queries by Category
Complete

This query is posted in the comments section

Login Failed attempts Query For WINDOWS

Hello Sophos Community,

Ive been trying to find login failed attempts query for my threat hunting environment. I have search from github but no findings . Can anyone share with me the query please . 

Danish
Parents

  • Below is the query that shows login failed attempts for users within the past 24 hours.
    -- You can change '24 hours' in the last line.

    -- Shows failed login events for a user within the past 24 hours.

SELECT 
datetime(time,'unixepoch','localtime') as 'Time', 
eventid, 
task_message,
json_extract(data,'$.EventData.FailureReason')as FailureReason,
json_extract(data,'$.EventData.TargetUserName') as UserName
FROM sophos_windows_events
WHERE eventid='4625' AND UserName <> '' AND time > STRFTIME('%H','NOW','24 hours');

--Description of Event ID 4625 is "An account failed to log on".

Comment

  • Below is the query that shows login failed attempts for users within the past 24 hours.
    -- You can change '24 hours' in the last line.

    -- Shows failed login events for a user within the past 24 hours.

SELECT 
datetime(time,'unixepoch','localtime') as 'Time', 
eventid, 
task_message,
json_extract(data,'$.EventData.FailureReason')as FailureReason,
json_extract(data,'$.EventData.TargetUserName') as UserName
FROM sophos_windows_events
WHERE eventid='4625' AND UserName <> '' AND time > STRFTIME('%H','NOW','24 hours');

--Description of Event ID 4625 is "An account failed to log on".

Children
Unfiltered HTML
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Cookie Information Banner