Navigate to http://[Target IP]:5601, click on the side navigation toggle, and click on “Discover”. Then, click on the calendar icon, specify “last 15 years”, and click on “Apply”. Finally, choose the “windows*” index pattern. Now, execute the KQL query that is mentioned in the “Comparison Operators” part of this section and enter the username of the disabled account as your answer. Just the username; no need to account for the domain.
I was also having trouble getting this to work but I figured it out. Once you put in the KQL query it should return 1 item. Click the arrow next to the date under the time column. Scroll down and expand the field details for the message. You should see “Account For Which Logon Failed:”. enter that name.
Hey I am having a trouble in getting the Kibana interface which says no route to the host. Even tried port scan with rustscan and none of them seems to be open. I checked my ovpn file connection and it seems fine! Am I missing something?
1 use this KQL : winlog.event_data.SubStatus:0xC0000072 on the result look the for " Account Name " it should be on the last line the account name is displayed right in the front of it.
winlog.event_data.TargetUserName shows the username
1 Like
Search for the error that occured and look through the logs that have been logged for a username.