![\"\"](\"http:\/\/contoso.se\/blog\/wp-content\/uploads\/2019\/01\/01.jpg\")
<\/a><\/figure>\n\n\n\nAny Application Insights instance can be used; no data needs to be collected by the instance (no extra cost) as we will use Log Analytics as a data source. In Application Insights, there are some default workbooks and quick start templates. For this example, we will use the \u00e2\u20ac\u0153Default Template.\u00e2\u20ac\u009d<\/p>\n\n\n\n In the workbook, we can configure it to use any Log Analytics workspace, in any subscription, as a source. Using different workspaces for different parts of the workbook is possible. The query used in this example is shown below, note it shows data for the last 30 days.<\/p>\n\n\n\n SecurityEvent In the workbook, on Column Settings, we can configure how the result will be grouped together. In this example, we will group by failed login reason and then account name. <\/p>\n\n\n\n <\/p>\n\n\n\n When running the workbook, we get a list of failed login reasons and can expand to see account names and amount of failed logins. It is possible to add an extra filter to the query to remove \u00e2\u20ac\u0153noise\u00e2\u20ac\u009d for example accounts with less than three failed login events. In the <\/p>\n\n\n\n A common question I see is how to present the data collected with Log Analytics. We can use View Designer in Log Analytics, PowerBI, Azure Dashboard, and Excel PowerPivot. But in this blog post, I would like to show another way to build a \u00e2\u20ac\u0153report\u00e2\u20ac\u009d direct in the Azure Portal for Log Analytics data. Workbooks … Continue reading <\/a><\/figure>\n\n\n\n
| where AccountType == ‘User’ and EventID == 4625
| where TimeGenerated > ago(30d)
| extend Reason = case(
SubStatus == ‘0xc000005e’, ‘No logon servers available to service the logon request’,
SubStatus == ‘0xc0000062’, ‘Account name is not properly formatted’,
SubStatus == ‘0xc0000064’, ‘Account name does not exist’,
SubStatus == ‘0xc000006a’, ‘Incorrect password’,
SubStatus == ‘0xc000006d’, ‘Bad user name or password’,
SubStatus == ‘0xc000006f’, ‘User logon blocked by account restriction’,
SubStatus == ‘0xc000006f’, ‘User logon outside of restricted logon hours’,
SubStatus == ‘0xc0000070’, ‘User logon blocked by workstation restriction’,
SubStatus == ‘0xc0000071’, ‘Password has expired’,
SubStatus == ‘0xc0000072’, ‘Account is disabled’,
SubStatus == ‘0xc0000133’, ‘Clocks between DC and other computer too far out of sync’,
SubStatus == ‘0xc000015b’, ‘The user has not been granted the requested logon right at this machine’,
SubStatus == ‘0xc0000193’, ‘Account has expirated’,
SubStatus == ‘0xc0000224’, ‘User is required to change password at next logon’,
SubStatus == ‘0xc0000234’, ‘Account is currently locked out’,
strcat(‘Unknown reason substatus: ‘, SubStatus))
| project TimeGenerated, Account, Reason, Computer<\/p><\/blockquote>\n\n\n\n<\/a><\/figure>\n\n\n\n<\/a><\/figure>\n\n\n\n<\/a><\/figure>\n\n\n\n
It is also possible to pin a workbook or part of a workbook, to an Azure Dashboard, to easily access the information.<\/p>\n\n\n\n<\/figure>\n\n\n\n<\/a><\/figure>\n","protected":false},"excerpt":{"rendered":"