Kerberos Unusual Process
Query
// Kerberos traffic from unusual Windows process
DeviceNetworkEvents
| where RemotePort == 88
// -- BEGIN FALSE POSITIVES --
| where InitiatingProcessFileName != "" // missing sensor data
| where InitiatingProcessFolderPath !~ "c:\\windows\\system32\\lsass.exe" // Windows default kerberos client
// -- END FALSE POSITIVES --
| where AdditionalFields !contains "Posix" // ignore Linux and Mac
| sort by TimestampExplanation
This query is looking for Kerberos traffic from a Windows process that is not the default Kerberos client. It filters out false positives and ignores Linux and Mac systems. The results are sorted by timestamp.
Details

C.J. May
Released: November 6, 2023
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEventsRemotePortInitiatingProcessFileNameInitiatingProcessFolderPathAdditionalFieldsTimestamp
Operators
where==!=!~!contains|sort by