KQL Search

Query Details

HomeAI ToolsDevice Query

Security Event Unexpected NTLM Network Authentication

Query

let query_frequency = 5m;
let query_period = 10m;
let _DomainControllers = toscalar(
    _GetWatchlist("Service-PrivateCorporateServices")
    | where Service == "DomainController"
    | summarize make_list(HostName)
);
let _ExpectedWorkstationNames = toscalar(
    _GetWatchlist("Service-PrivateCorporateServices")
    | where Notes has "[PAM]"
    | summarize make_list(HostName)
);
SecurityEvent
| where TimeGenerated > ago(query_period)
| where EventID in (4624, 4625) and Computer has_any (_DomainControllers) and AuthenticationPackageName == "NTLM" and LogonType == "3" and not(AccountType == "Machine") and (ElevatedToken == "%%1842" or WorkstationName in ("-", ""))
| where not(Status == "0x80090317" and Account == @"\")
| where not(WorkstationName has_any (_ExpectedWorkstationNames) or WorkstationName has_any (_DomainControllers))
| project-away PrivilegeList
| join kind=leftouter (
    SecurityEvent
    | where TimeGenerated > ago(query_period)
    | where EventID == 4672 and Computer has_any (_DomainControllers)
    | project Computer, Account, SubjectLogonId, PrivilegeList
    ) on Computer, Account, $left.TargetLogonId == $right.SubjectLogonId
| project-away Computer1, Account1, SubjectLogonId1
| where isnotempty(PrivilegeList) or WorkstationName in ("-", "")
| summarize arg_min(TimeGenerated, *) by Computer, Account, Activity, ElevatedToken, PrivilegeList, WorkstationName, FailureReason, Status, SubStatus
| where TimeGenerated > ago(query_frequency)
| project
    TimeGenerated,
    Computer,
    Account,
    AccountType,
    Activity,
    LogonTypeName,
    LogonProcessName,
    AuthenticationPackageName,
    LmPackageName,
    KeyLength,
    TargetLogonId,
    IpAddress,
    WorkstationName,
    PrivilegeList,
    ElevatedToken,
    FailureReason,
    Status,
    SubStatus

Explanation

This KQL query is designed to monitor and analyze specific security events related to NTLM authentication on domain controllers within a corporate network. Here's a simplified breakdown of what the query does:

  1. Define Time Intervals:

    • query_frequency is set to 5 minutes, and query_period is set to 10 minutes. These define the time windows for data analysis.

  2. Identify Domain Controllers and Expected Workstations:

    • It retrieves a list of domain controllers and expected workstation names from a watchlist named "Service-PrivateCorporateServices". Domain controllers are identified by the service name "DomainController", and expected workstations have notes containing "[PAM]".

  3. Filter Security Events:

    • The query looks at security events (from the SecurityEvent table) generated in the last 10 minutes.
    • It focuses on events with IDs 4624 (successful logon) and 4625 (failed logon) that occurred on domain controllers.
    • It specifically targets NTLM authentication attempts with logon type 3 (network logon) that are not machine accounts and have elevated tokens or unspecified workstation names.

  4. Exclude Certain Events:

    • It excludes events with a specific failure status (0x80090317) and anonymous accounts.
    • It also filters out events from expected workstations or domain controllers.

  5. Join with Privilege Events:

    • The query performs a left outer join with events of ID 4672 (special privileges assigned) to correlate logon events with privilege assignments on domain controllers.

  6. Further Filtering:

    • It keeps only events with non-empty privilege lists or unspecified workstation names.

  7. Summarize and Project Results:

    • The query summarizes the data to find the earliest event for each combination of computer, account, and other attributes.
    • It filters the results to only include events from the last 5 minutes.
    • Finally, it projects a set of relevant fields for analysis, such as time generated, computer, account, logon details, IP address, and status information.

In essence, this query is used to detect and analyze potentially suspicious NTLM authentication activities on domain controllers, focusing on unexpected or privileged logon attempts.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: June 24, 2026

Tables

SecurityEvent

Keywords

SecurityEventDomainControllersWorkstationNamesAccountAuthenticationPackageNameLogonTypeElevatedTokenPrivilegeListComputerActivityFailureReasonStatusSubStatus

Operators

lettoscalar_GetWatchlistwhereagoinhas_anyandnotorproject-awayjoinkind=leftouteronisnotemptysummarizearg_minbyproject

Actions