KQL Search

This query is designed to identify and analyze the use of NTLM (NT LAN Manager) authentication in a network environment over the past seven days. Here's a simplified breakdown of what it does:

1. Data Source: It examines logon events from the IdentityLogonEvents table.

2. Time Frame: It focuses on events that occurred within the last seven days.

3. Filter Criteria:

   • It looks for successful logon actions (ActionType == "LogonSuccess").
   • It specifically targets logons using the NTLM protocol (Protocol =~ "Ntlm").
   • It considers logons where the type is "Credentials validation" (LogonType == "Credentials validation").

4. Data Aggregation:

   • For each device and account, it compiles a list of unique target devices (DestinationDeviceName) where NTLM logons occurred.
   • It also counts the number of unique target devices for each combination of device and account.

5. Sorting:

   • The results are sorted in descending order based on the count of unique target devices, highlighting the accounts and devices with the most NTLM activity.

In essence, this query helps identify which accounts and devices are most frequently using NTLM authentication, potentially highlighting areas for security review or improvement.