Failed Logon Attempt | SOC Hunt Feed

Hunt Hypothesis

Adversaries may attempt to brute force access to high-value assets through repeated failed logon attempts. SOC teams should proactively hunt for this behavior to identify potential credential compromise or reconnaissance efforts targeting critical systems.

KQL Query

DeviceLogonEvents
| where DeviceName in ("DeviceName1","DeviceName2")
| where ActionType == "LogonFailed"
| summarize LogonFailures=count() by DeviceName, LogonType, InitiatingProcessCommandLine
| where LogonFailures > 3
| project LogonFailures, DeviceName, LogonType, InitiatingProcessCommandLine
| sort by LogonFailures desc

Analytic Rule Definition

id: 95d68a9c-91d3-41ce-ab9f-f1baadc74f8a
name: Failed Logon Attempt
description: |
  Sample query to detect If there are more then 3 failed logon authentications on high value assets.
  Update DeviceName to reflect your high value assets.
  For questions @MiladMSFT on Twitter or [email protected].
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceLogonEvents
query: |
  DeviceLogonEvents
  | where DeviceName in ("DeviceName1","DeviceName2")
  | where ActionType == "LogonFailed"
  | summarize LogonFailures=count() by DeviceName, LogonType, InitiatingProcessCommandLine
  | where LogonFailures > 3
  | project LogonFailures, DeviceName, LogonType, InitiatingProcessCommandLine
  | sort by LogonFailures desc

Required Data Sources

Sentinel Table	Notes
`DeviceLogonEvents`	Ensure this data connector is enabled

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/General queries/Failed Logon Attempt.yaml)

False Positive Guidance

Scenario: Scheduled Job Execution
Description: A legitimate scheduled job (e.g., SQL Server Agent Job, Windows Task Scheduler job) attempts to authenticate multiple times during its execution phase.
Filter/Exclusion: Exclude events where EventID is 41 or 4663 and the source is a known job scheduler (e.g., SQLAgent or TaskScheduler).
Scenario: Admin Password Reset via PowerShell
Description: An admin uses PowerShell to reset passwords for multiple high-value assets, which may result in multiple failed logon attempts before successful authentication.
Filter/Exclusion: Exclude events where the User field matches a known admin account and the EventID is related to password reset (e.g., EventID 4723 or EventID 4724).
Scenario: Multi-Factor Authentication (MFA) Retry
Description: A user with MFA enabled attempts to log in multiple times after entering an incorrect second factor (e.g., TOTP code).
Filter/Exclusion: Exclude events where the User field matches a known user with MFA and the EventID is related to MFA failure (e.g., EventID 4768 or EventID 4769).
Scenario: System Maintenance Task (e.g., Windows Update)
Description: A system maintenance task (e.g., Windows Update or DISM) may cause multiple failed logon attempts due to temporary service disruptions or credential caching issues.
Filter/Exclusion: Exclude events where the User field is a service account (e.g., NT AUTHORITY\SYSTEM) and the EventID is related to system maintenance (e.g., EventID 6008 or Event3 for