windows_event_invalid_logon_brute_force
SCHEMA
| authentication_package | string | The name of the authentication package which was used for the logon |
| description | string | Plugin description text |
| eventid | int | The Windows event ID |
| failure_reason | string | Textual explanation of Status field value |
| key_length | int | The length of NTLM Session Security key |
| logon_process | string | The name of the trusted logon process that was used for the logon attempt |
| logon_type | int | The type of logon which was performed. |
| name | string | Name of the registry value entry |
| provider_name | string | The Windows event provider |
| remote_address | string | IP address of machine from which logon attempt was performed |
| remote_port | int | Source port which was used for logon attempt from remote machine |
| source | string | The Windows event source |
| status | string | The reason the logon failed |
| sub_status | string | Additional information about logon failure |
| subject_domain | string | The domain or computer name for the account that reported the logon |
| subject_username | string | The account that reported the logon |
| target_domain | string | The domain or computer name for the account specified |
| target_username | string | The name of the account that was specified in the logon attempt |
| transmitted_services | string | The list of transmitted services |
-- windows_event_invalid_logon_brute_force INFO SELECT -- Device ID DETAILS meta_hostname, meta_ip_address, -- Query Details query_name, authentication_package, description, eventid, failure_reason, key_length, logon_process, logon_type, name, provider_name, remote_address, remote_port, source, status, sub_status, subject_domain, subject_username, target_domain, target_username, transmitted_services, -- Decoration meta_boot_time, meta_eid, meta_endpoint_type, meta_ip_mask, meta_mac_address, meta_os_name, meta_os_platform, meta_os_type, meta_os_version, meta_public_ip, meta_query_pack_version, meta_username, --- Generic calendar_time, counter, epoch, host_identifier, numerics osquery_action, unix_time, -- Data Lake customer_id, endpoint_id, upload_size FROM xdr_data WHERE query_name = 'windows_event_invalid_logon_brute_force'
