- last edited on by
Ana_Kuzmenchuk
Log content:
"A user account was locked out.
Subject:
Security ID: S-1-5-18
Account Name: ABCASD$
Account Domain: ABC
Logon ID: 0x3E7
Account That Was Locked Out:
Security ID: S-1-5-21-436374069-1592454029
Account Name: xyz123
Additional Information:
Caller Computer Name:
"
--------------------------------------------
I'm using this DQL but not getting the expected results:
fetch logs
| filter contains(content, "A user account was locked out")
| parse content, "LD 'Account That Was Locked Out:' LD 'Account Name:' LD:locked_out_account_name"
| fields timestamp, locked_out_account_name, content
----------------------------------------------
Featured Posts
