KQL Search

Query Details

HomeAI ToolsDevice Query

Security Event Unusual User Account Authentication

Query

let query_frequency = 1h;
let query_period = 14d;
let _DomainControllers = toscalar(
    _GetWatchlist("Service-PrivateCorporateServices")
    | where Service == "DomainController"
    | summarize make_list(HostName)
);
SecurityEvent
| where TimeGenerated > ago (query_period)
| where EventID == 4624 and AccountType == "User" and Computer has_any (_DomainControllers)
| summarize arg_min(TimeGenerated, *) by
    LogonTypeName,
    AuthenticationPackageName,
    LmPackageName,
    EmptyIpAddress = IpAddress in ("-", ""),
    EmptyWorkstationName = WorkstationName in ("-", ""),
    ElevatedToken,
    IsAnonymousLogon = TargetAccount ==  @"NT AUTHORITY\ANONYMOUS LOGON"
| where TimeGenerated > ago(query_frequency)
| project
    TimeGenerated,
    Computer,
    Account,
    AccountType,
    Activity,
    LogonTypeName,
    AuthenticationPackageName,
    LmPackageName,
    KeyLength,
    EmptyIpAddress,
    EmptyWorkstationName,
    ElevatedToken,
    IsAnonymousLogon

Explanation

This query is designed to analyze security events related to user logins on domain controllers over a specified period. Here's a simplified breakdown:

  1. Setup Parameters:

    • query_frequency is set to 1 hour, meaning the query focuses on events from the last hour.
    • query_period is set to 14 days, indicating the overall time range for data consideration.

  2. Identify Domain Controllers:

    • A list of domain controllers is retrieved from a watchlist named "Service-PrivateCorporateServices" where the service is marked as "DomainController".

  3. Filter Security Events:

    • The query looks at security events (from the SecurityEvent table) that occurred within the last 14 days.
    • It specifically targets events with EventID 4624, which indicates a successful logon, and where the AccountType is "User".
    • It further filters these events to only include those occurring on computers identified as domain controllers.

  4. Summarize Events:

    • The query summarizes the data to find the earliest occurrence (arg_min) of each unique combination of logon type, authentication package, and other attributes.
    • It checks for empty IP addresses and workstation names, and flags if the logon was anonymous.

  5. Recent Events:

    • It then filters the summarized data to only include events from the last hour.

  6. Select Output Columns:

    • Finally, it projects (selects) specific columns for the output, including details like the time of the event, computer name, account details, logon type, and whether certain fields were empty or if the logon was anonymous.

In essence, this query helps identify and analyze recent user logon activities on domain controllers, focusing on specific attributes and conditions.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: March 18, 2026

Tables

SecurityEvent

Keywords

SecurityEventDomainControllersUserComputerAccountActivityLogonTypeNameAuthenticationPackageNameLmPackageNameKeyLengthElevatedTokenIsAnonymousLogon

Operators

lettoscalar_GetWatchlistwheresummarizemake_listhas_anyarg_mininproject

Actions