From 17764ac9515fa3469f4d01c0b082d942a6293831 Mon Sep 17 00:00:00 2001
From: Eric Conrad <git@zez.me>
Date: Wed, 20 Sep 2017 10:22:24 -0400
Subject: [PATCH] Update README.md

---
 README.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/README.md b/README.md
index 97ef48e..859e8c3 100644
--- a/README.md
+++ b/README.md
@@ -83,6 +83,9 @@ See 'Logging setup' section below for how to configure these logs
 
 Enable Windows command-line auditing: https://support.microsoft.com/en-us/kb/3004375 
 
+### Security event 4625 (Failed logons):
+
+Requires auditing logon failures: https://technet.microsoft.com/en-us/library/cc976395.aspx
 ### PowerShell auditing (PowerShell 5.0):
 
 DeepBlueCLI uses module logging (PowerShell event 4013) and script block logging (4104). It does not use transcription.