I've been struggling for days with the answer to this question and I can't find it. Does anyone know the answer?

Navigate to http://[Target IP]:5601, click on the side navigation toggle, and click on “Dashboard”. Either create a new visualization or edit the “Failed logon attempts [Admin users only]” visualization, if it is available, so that it includes failed logon attempt data where the username field contains the keyword “admin” anywhere within it. What should you specify after user.name: in the KQL query?


I’ve been struggling for days with the answer to this question and I can’t find it. Does anyone know the answer?

1 Like

I am doing this now. Have you found any documentation that you can share that points to the answer?

LOL - found answer out just now. [asterik]admin[asterik]

2 Likes

[asterik]admin[asterik]

Thanks!

3 Likes

I still do not understand this one :frowning:

Type in * admin *

1 Like

No spaces tho

1 Like

Well, that’s curious because here [Keyword Query Language (KQL) syntax reference | Microsoft Learn] it tells that “KQL queries don’t support prefix matching with the wildcard * as prefix.” so I didn’t expected to have it before.

I still can’t do it

in the steps, you has given, that select discover option from navigation toggle, set calendar, change index from zeek to window, then do kql search query mentioned in the section in comparison operator, 1 search will appear, expand it, come below to message area where account name is present, Hint: account name starts form a

Try searching for event.code : (What happens when you get locked out)

Investigate the logs. What accounts are involved?

For those still confused.

Read the question properly.

“where the username field contains the keyword “admin” ANYWHERE within it.”

We aren’t exactly trying to search “admin”, we want to search for all possible entries that have the text “admin” in it.

Hint ~ Wildcards.


I’m still lost. I input admin but it’s wrong?

Thank you. That was nuts.