diff --git a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
index 51ff05189a..69291f7a17 100644
--- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
+++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
@@ -573,6 +573,11 @@ Here are the minimum steps for WEF to operate:
+
+
+
+
+
```
@@ -654,5 +659,6 @@ You can get more info with the following links:
- [Event Queries and Event XML](https://msdn.microsoft.com/library/bb399427.aspx)
- [Event Query Schema](https://msdn.microsoft.com/library/aa385760.aspx)
- [Windows Event Collector](https://msdn.microsoft.com/library/windows/desktop/bb427443.aspx)
+- [4625(F): An account failed to log on](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4625)