KQL Search

Query Details

HomeAI ToolsDevice Query

Kerberos Failures

Query

SecurityEvent
| where Channel == "Security"
| where TimeGenerated > ago(30d)
| sort by TimeGenerated desc
| where EventID == 4771
| summarize count() by bin(TimeGenerated, 60m)
| render columnchart

Explanation

This query is analyzing security events from the "Security" channel in a system's logs. Here's a simple breakdown of what it does:

  1. Filter by Channel: It looks at events specifically from the "Security" channel.

  2. Time Frame: It considers events that have been generated in the last 30 days.

  3. Sort Order: The events are sorted in descending order based on when they were generated, meaning the most recent events come first.

  4. Specific Event: It filters the events to only include those with an EventID of 4771. This particular EventID typically corresponds to failed Kerberos pre-authentication attempts, which can indicate unsuccessful login attempts.

  5. Aggregation: It counts the number of these specific events (EventID 4771) and groups them into 60-minute intervals.

  6. Visualization: Finally, it displays the results as a column chart, making it easier to visualize the frequency of these events over time.

In summary, this query helps you visualize how often failed Kerberos pre-authentication attempts have occurred in the last 30 days, broken down by hour.

Details

Daniel Card profile picture

Daniel Card

Released: February 27, 2025

Tables

SecurityEvent

Keywords

SecurityEventTimeGeneratedEventID

Operators

wheresort bysummarizebinrender

Actions