Hi There,
I am trying to find where total account lockouts that are greater than 2 within the time frame of 30 mins.
This is to find out potential malicious activity where someone is trying to possibility crack a password for an account.
our lockout threshold is 15 mins and it gets unlocked. This way I can see if someone possibly has tried to log into an account more than 2 times and locked an account in 30 mins.
Here is my query which gives me total results >2, but i am not sure how to specify the timeframe of 30 mins in the query.
Any help would be appreciated.
description="Account Lockouts" EventCode=4740 user="*" host=primarydc
| stats count as total by user, host
| where total > 2
↧