I want to create a search that will return all of the logon failure events (based on a set of event IDs, lets say EventID 600,601,602) that occur after the last "Account Unlocked" event for a specific user.
For example, an event is logged anytime a user account is unlocked. Various events are also logged when a user fails to authenticate properly. After a certain number of failed logon attempts, an account lockout occurs.
I want to be able to specify a username and have the search go look for the last account unlock event (lets say EventID 500), then return any logon failure event (EventID 600, 601,601) that occurred for that user after the account unlock event.
asked 09 May '12, 23:55
This should give you a listing of the events for user XXXX in chronological order.
More generic (i.e. for all users) you can use the
Hope this helps,
answered 10 May '12, 00:49
Thanks for your reply. I've been playing around with the transaction command this morning and am not finding success. Mainly because the event IDs I'm looking for are not in a sequence, so the startswith and endswith parameters don't seem to work for me.
For example, here is the query I am running:
This query returns a table of results for the user I specify within the timeframe specified. However, I'd rather see a table that begins with the most recent account unlock event (Actual Event Codes are: 4767 and 671) and ends with the most recent account lock event (4740 or 644). Within the timeframe of those events, I want to see all of the logon failure events for the user (4776, 680,675,672,4771).
Is that even possible in a search?