Failed logon attempts by valid accounts within 10 mins

Severity: low
Time window: 10m
Group by: Account, Activity, Computer, EventID, IpAddress, LogonProcessName, LogonType, LogonTypeName, Reason, ResourceId, SourceComputerId, Status, SubStatus, TargetAccount, TargetDomainName, TargetUserName, WorkstationName
Author: Microsoft Security Research
Source: github.com/Azure/Azure-Sentinel

Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.

MITRE ATT&CK coverage

Tactic	Techniques
Credential Access	`T1110` Brute Force

Event coverage

Provider	Event	Title
Security-Auditing	Event ID 4625	An account failed to log on.

Rule body kusto

id: 0777f138-e5d8-4eab-bec1-e11ddfbc2be2
name: Failed logon attempts by valid accounts within 10 mins
description: |
  'Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.'
severity: Low
requiredDataConnectors:
  - connectorId: SecurityEvents
    dataTypes:
      - SecurityEvent
  - connectorId: WindowsSecurityEvents
    dataTypes:
      - SecurityEvent
  - connectorId: WindowsForwardedEvents
    dataTypes:
      - WindowsEvent
queryFrequency: 10m
queryPeriod: 10m
triggerOperator: gt
triggerThreshold: 0
tactics:
  - CredentialAccess
relevantTechniques:
  - T1110
query: |
  let threshold = 20;
  let ReasontoSubStatus = datatable(SubStatus: string, Reason: string) [
      "0xc000005e", "There are currently no logon servers available to service the logon request.",
      "0xc0000064", "User logon with misspelled or bad user account",
      "0xc000006a", "User logon with misspelled or bad password",
      "0xc000006d", "Bad user name or password",
      "0xc000006e", "Unknown user name or bad password",
      "0xc000006f", "User logon outside authorized hours",
      "0xc0000070", "User logon from unauthorized workstation",
      "0xc0000071", "User logon with expired password",
      "0xc0000072", "User logon to account disabled by administrator",
      "0xc00000dc", "Indicates the Sam Server was in the wrong state to perform the desired operation",
      "0xc0000133", "Clocks between DC and other computer too far out of sync",
      "0xc000015b", "The user has not been granted the requested logon type (aka logon right) at this machine",
      "0xc000018c", "The logon request failed because the trust relationship between the primary domain and the trusted domain failed",
      "0xc0000192", "An attempt was made to logon, but the Netlogon service was not started",
      "0xc0000193", "User logon with expired account",
      "0xc0000224", "User is required to change password at next logon",
      "0xc0000225", "Evidently a bug in Windows and not a risk",
      "0xc0000234", "User logon with account locked",
      "0xc00002ee", "Failure Reason: An Error occurred during Logon",
      "0xc0000413", "Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine"
  ];
  (union isfuzzy=true
      (SecurityEvent
      | where EventID == 4625
      | where AccountType =~ "User"
      | where SubStatus !~ '0xc0000064' and Account !in ('\\', '-\\-')
      // SubStatus '0xc0000064' signifies 'Account name does not exist'
      | extend
          ResourceId = column_ifexists("_ResourceId", _ResourceId),
          SourceComputerId = column_ifexists("SourceComputerId", SourceComputerId),
          SubStatus = tolower(SubStatus)
      | lookup ReasontoSubStatus on SubStatus
      | extend coalesce(Reason, strcat('Unknown reason substatus: ', SubStatus))
      | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by bin(TimeGenerated,10m), EventID,
          Activity, Computer, Account, TargetAccount, TargetUserName, TargetDomainName,
          LogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress
      | where FailedLogonCount >= threshold
      ),
      (
      (WindowsEvent
      | where EventID == 4625 and not(EventData has '0xc0000064')
      | extend TargetAccount = strcat(tostring(EventData.TargetDomainName), "\\", tostring(EventData.TargetUserName))
      | extend TargetUserSid = tostring(EventData.TargetUserSid)
      | extend AccountType=case(EventData.TargetUserName endswith "$" or TargetUserSid in ("S-1-5-18", "S-1-5-19", "S-1-5-20"), "Machine", isempty(TargetUserSid), "", "User")
      | where AccountType =~ "User"
      | extend SubStatus = tostring(EventData.SubStatus)
      | where SubStatus !~ '0xc0000064' and TargetAccount !in ('\\', '-\\-')
      // SubStatus '0xc0000064' signifies 'Account name does not exist'
      | extend
          ResourceId = column_ifexists("_ResourceId", _ResourceId),
          SourceComputerId = column_ifexists("SourceComputerId", ""),
          SubStatus = tolower(SubStatus)
      | lookup ReasontoSubStatus on SubStatus
      | extend coalesce(Reason, strcat('Unknown reason substatus: ', SubStatus))
      | extend Activity="4625 - An account failed to log on."
      | extend TargetUserName = tostring(EventData.TargetUserName)
      | extend TargetDomainName = tostring(EventData.TargetDomainName)
      | extend LogonType = tostring(EventData.LogonType)
      | extend Status= tostring(EventData.Status)
      | extend LogonProcessName = tostring(EventData.LogonProcessName)
      | extend WorkstationName = tostring(EventData.WorkstationName)
      | extend IpAddress = tostring(EventData.IpAddress)
      | extend LogonTypeName=case(
        LogonType == 2, "2 - Interactive",
        LogonType == 3, "3 - Network",
        LogonType == 4, "4 - Batch",
        LogonType == 5, "5 - Service",
        LogonType == 7, "7 - Unlock",
        LogonType == 8, "8 - NetworkCleartext",
        LogonType == 9, "9 - NewCredentials",
        LogonType == 10, "10 - RemoteInteractive",
        LogonType == 11, "11 - CachedInteractive",
        tostring(LogonType)
      )
      | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by bin(TimeGenerated,10m), EventID,
          Activity, Computer, TargetAccount, TargetUserName, TargetDomainName,
          LogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress
      | where FailedLogonCount >= threshold
      )))
  | summarize arg_max(TimeGenerated, *) by Computer, TargetAccount, TargetUserName, TargetDomainName
  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: TargetAccount
      - identifier: Name
        columnName: TargetUserName
      - identifier: NTDomain
        columnName: TargetDomainName
  - entityType: Host
    fieldMappings:
      - identifier: FullName
        columnName: Computer
      - identifier: HostName
        columnName: HostName
      - identifier: NTDomain
        columnName: HostNameDomain
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: IpAddress
version: 1.2.5
kind: Scheduled
metadata:
    source:
        kind: Community
    author:
        name: Microsoft Security Research
    support:
        tier: Community
    categories:
        domains: [ "Security - Others", "Identity" ]

Stages and Predicates

Parameters

let threshold = 20;

Let binding: `ReasontoSubStatus`

let ReasontoSubStatus = datatable(SubStatus: string, Reason: string) [
    "0xc000005e", "There are currently no logon servers available to service the logon request.",
    "0xc0000064", "User logon with misspelled or bad user account",
    "0xc000006a", "User logon with misspelled or bad password",
    "0xc000006d", "Bad user name or password",
    "0xc000006e", "Unknown user name or bad password",
    "0xc000006f", "User logon outside authorized hours",
    "0xc0000070", "User logon from unauthorized workstation",
    "0xc0000071", "User logon with expired password",
    "0xc0000072", "User logon to account disabled by administrator",
    "0xc00000dc", "Indicates the Sam Server was in the wrong state to perform the desired operation",
    "0xc0000133", "Clocks between DC and other computer too far out of sync",
    "0xc000015b", "The user has not been granted the requested logon type (aka logon right) at this machine",
    "0xc000018c", "The logon request failed because the trust relationship between the primary domain and the trusted domain failed",
    "0xc0000192", "An attempt was made to logon, but the Netlogon service was not started",
    "0xc0000193", "User logon with expired account",
    "0xc0000224", "User is required to change password at next logon",
    "0xc0000225", "Evidently a bug in Windows and not a risk",
    "0xc0000234", "User logon with account locked",
    "0xc00002ee", "Failure Reason: An Error occurred during Logon",
    "0xc0000413", "Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine"
];

union `isfuzzy=true` (2 sources)

Each leg below queries one source; the rule matches if any leg does. Sources: SecurityEvent, WindowsEvent

Leg 1: `SecurityEvent`

SecurityEvent
    | where EventID == 4625
    | where AccountType =~ "User"
    | where SubStatus !~ '0xc0000064' and Account !in ('\\', '-\\-')
    | extend
        ResourceId = column_ifexists("_ResourceId", _ResourceId),
        SourceComputerId = column_ifexists("SourceComputerId", SourceComputerId),
        SubStatus = tolower(SubStatus)
    | lookup ReasontoSubStatus on SubStatus
    | extend coalesce(Reason, strcat('Unknown reason substatus: ', SubStatus))
    | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by bin(TimeGenerated,10m), EventID,
        Activity, Computer, Account, TargetAccount, TargetUserName, TargetDomainName,
        LogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress
    | where FailedLogonCount >= threshold

Leg 2: `WindowsEvent`

(WindowsEvent
    | where EventID == 4625 and not(EventData has '0xc0000064')
    | extend TargetAccount = strcat(tostring(EventData.TargetDomainName), "\\", tostring(EventData.TargetUserName))
    | extend TargetUserSid = tostring(EventData.TargetUserSid)
    | extend AccountType=case(EventData.TargetUserName endswith "$" or TargetUserSid in ("S-1-5-18", "S-1-5-19", "S-1-5-20"), "Machine", isempty(TargetUserSid), "", "User")
    | where AccountType =~ "User"
    | extend SubStatus = tostring(EventData.SubStatus)
    | where SubStatus !~ '0xc0000064' and TargetAccount !in ('\\', '-\\-')
    | extend
        ResourceId = column_ifexists("_ResourceId", _ResourceId),
        SourceComputerId = column_ifexists("SourceComputerId", ""),
        SubStatus = tolower(SubStatus)
    | lookup ReasontoSubStatus on SubStatus
    | extend coalesce(Reason, strcat('Unknown reason substatus: ', SubStatus))
    | extend Activity="4625 - An account failed to log on."
    | extend TargetUserName = tostring(EventData.TargetUserName)
    | extend TargetDomainName = tostring(EventData.TargetDomainName)
    | extend LogonType = tostring(EventData.LogonType)
    | extend Status= tostring(EventData.Status)
    | extend LogonProcessName = tostring(EventData.LogonProcessName)
    | extend WorkstationName = tostring(EventData.WorkstationName)
    | extend IpAddress = tostring(EventData.IpAddress)
    | extend LogonTypeName=case(
      LogonType == 2, "2 - Interactive",
      LogonType == 3, "3 - Network",
      LogonType == 4, "4 - Batch",
      LogonType == 5, "5 - Service",
      LogonType == 7, "7 - Unlock",
      LogonType == 8, "8 - NetworkCleartext",
      LogonType == 9, "9 - NewCredentials",
      LogonType == 10, "10 - RemoteInteractive",
      LogonType == 11, "11 - CachedInteractive",
      tostring(LogonType)
    )
    | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by bin(TimeGenerated,10m), EventID,
        Activity, Computer, TargetAccount, TargetUserName, TargetDomainName,
        LogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress
    | where FailedLogonCount >= threshold
    )

Applied to the combined result

| summarize arg_max(TimeGenerated, *) by Computer, TargetAccount, TargetUserName, TargetDomainName
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

Field	Kind	Excluded values
`Account`	in	`-\\-`, `\\`
`EventData`	match	`0xc0000064`
`TargetAccount`	in	`-\\-`, `\\`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`AccountType`	eq	`User` corpus 9 (kusto 9)
`EventID`	eq	`4625` transforms: `cased` corpus 15 (splunk 11, chronicle 2, kusto 2)
`FailedLogonCount`	ge	`20` transforms: `cased`
`SubStatus`	ne	`0xc0000064`

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

Field	Source
`Computer`	`summarize`
`TargetAccount`	`summarize`
`TargetDomainName`	`summarize`
`TargetUserName`	`summarize`
`DomainIndex`	`extend`
`HostName`	`extend`
`HostNameDomain`	`extend`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Failed logon attempts by valid accounts within 10 mins

MITRE ATT&CK coverage

Event coverage

Rule body kusto

Stages and Predicates

Parameters

Let binding: `ReasontoSubStatus`

union `isfuzzy=true` (2 sources)

Leg 1: `SecurityEvent`

Leg 2: `WindowsEvent`

Applied to the combined result

Exclusions

Indicators

Output fields

Keyboard shortcuts

Search operators

Failed logon attempts by valid accounts within 10 mins

MITRE ATT&CK coverage

Event coverage

Rule body kusto

Stages and Predicates

Parameters

Let binding: ReasontoSubStatus

union isfuzzy=true (2 sources)

Leg 1: SecurityEvent

Leg 2: WindowsEvent

Applied to the combined result

Exclusions

Indicators

Output fields

Let binding: `ReasontoSubStatus`

union `isfuzzy=true` (2 sources)

Leg 1: `SecurityEvent`

Leg 2: `WindowsEvent`