Bad passwords logged in the DC Netlogon logs:
for a specific account name: index=cim sourcetype=netlogon host=*dc* "0xC000006A" Logon_Account="*<accountname>” *** need the asterisk since the netlogon log usually puts the domain netbios name in front of the account name,
for a specific account by source: index=cim sourcetype=netlogon host=*dc* "0xC000006A" Logon_Account="*<accountname>” *** same query as above because I did not find an easy way to get the bad password source.
Anyone please help me