KQL Log Analytics Queries

Windows Security Events (SecurityEvent)

Critical Event IDs

Event ID	Description
4624	Successful logon
4625	Failed logon
4634	Logoff
4648	Logon with explicit credentials (runas)
4672	Special privileges assigned (admin logon)
4688	Process created
4720	User account created
4722	User account enabled
4724	Password reset attempt
4725	User account disabled
4728	Member added to security group
4732	Member added to local group
4740	Account locked out
4756	Member added to universal group
4768	Kerberos TGT requested
4769	Kerberos service ticket requested
4776	NTLM authentication attempt
7045	New service installed

Logon Types (Event 4624/4625)

Type	Name	Description
2	Interactive	Console logon (keyboard)
3	Network	SMB, mapped drives
4	Batch	Scheduled tasks
5	Service	Service Control Manager
7	Unlock	Workstation unlock
8	NetworkCleartext	IIS basic auth
10	RemoteInteractive	RDP
11	CachedInteractive	Cached credentials (offline logon)

Type

Name

Description

Interactive

Console logon (keyboard)

Network

SMB, mapped drives

Batch

Scheduled tasks

Service

Service Control Manager

Unlock

Workstation unlock

NetworkCleartext

IIS basic auth

RemoteInteractive

RDP

CachedInteractive

Cached credentials (offline logon)

Quick Queries

Failed RDP logons (last 24h)

SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4625
| where LogonType == 10
| summarize count() by TargetAccount, IpAddress
| sort by count_ desc

New services installed

SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 7045
| project TimeGenerated, Computer, ServiceName = EventData

Account lockouts

SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4740
| project TimeGenerated, TargetAccount, Computer
| sort by TimeGenerated desc

Syslog (Linux/Network)

Syslog by facility and severity

Syslog
| where TimeGenerated > ago(24h)
| summarize count() by Facility, SeverityLevel
| sort by count_ desc

SSH authentication failures

Syslog
| where TimeGenerated > ago(24h)
| where ProcessName == "sshd"
| where SyslogMessage contains "Failed password"
| parse SyslogMessage with * "Failed password for " User " from " IP " port " *
| summarize count() by User, IP
| sort by count_ desc

CommonSecurityLog (CEF)

Firewall denied traffic

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DeviceAction == "Deny" or DeviceAction == "Drop"
| summarize count() by SourceIP, DestinationIP, DestinationPort, DeviceProduct
| sort by count_ desc
| take 20