Scenario: You received an alert just like the one we built yesterday about multiple failed logins.

Your task is to use KQL to answer the following:

• Which accounts are experiencing the most failed logons?
• Were there any successful logins for those accounts? If so, from where?
• What would you recommend if this were a real client incident?

Report Template

• Findings (What did you find)
• Investigation Summary (What happened)
• Who, What, When, Where, Why, How (Answer as much as possible)
  • Who - Who was involved?
  • What - What happened?
  • When - When did this occur and is it still happening?
  • Where - Where in the environment did this happen?
  • Why - Why did this happen? (If known)
  • How - How did this happen?
• Recommendations: (What steps should be taken to reduce risk or stop the activity?)

Notes:

Logs Date

4/16/2021, 8:34:04.098 AM - 4/16/2021, 9:33:42.146 AM

Which accounts are experiencing the most failed logons?

\ADMINISTRATOR has a total 10255 failed login.