SOC OperationsIncident ResponseWindows ForensicsLinux ForensicsKQL Investigations
Edit

Windows Security Logs (Identity and Logon Activities)

Note: Sometimes, you may have to customise the queries to your environment. Also, queries will only work if the data is available.

Windows Security Logs (Identity and Logon Activities)

Overview:

Windows Security Logs contain rich information about identity and logon activities. These logs are crucial for detecting unauthorized logons, privilege escalation, and lateral movement.

25 Example Queries for Identity and Logon Activities:

  1. Track Successful Logon Events (Event ID 4624) Event ID 4624 records successful logon events, which can be analyzed for suspicious activity.

DeviceLogonEvents | where ActionType == "LogonSuccess" | summarize count() by AccountName, DeviceName, RemoteIP

  1. Monitor Failed Logon Attempts (Event ID 4625) Multiple failed logon attempts may indicate a brute force attack.

DeviceLogonEvents | where ActionType == "LogonFailed" | summarize count() by AccountName, DeviceName, RemoteIP

  1. Track Interactive Logons (LogonType 2, Event ID 4624) Interactive logons are physical or RDP logons to a system.

DeviceLogonEvents | where LogonType == "Interactive" | summarize count() by AccountName, DeviceName, RemoteIP

  1. Detect Use of Service Accounts for Logon (LogonType 5) Service accounts may be used to maintain persistence within the network.

DeviceLogonEvents | where LogonType == "Service" | summarize count() by AccountName, DeviceName

  1. Monitor Privileged Logons (Event ID 4672) Privileged accounts logon events can be tracked for signs of abuse.

DeviceEvents | where EventID == 4672 | summarize count() by AccountName, DeviceName

  1. Detect Kerberos Logon Failures (Event ID 4771) Failed Kerberos logon attempts may indicate credential theft or brute force attacks.

DeviceEvents | where EventID == 4771 | summarize count() by AccountName, DeviceName, FailureReason

  1. Track NTLM Logon Events (Event ID 4624) NTLM logons can be used for lateral movement through pass-the-hash attacks.

DeviceLogonEvents | where AuthenticationPackage == "NTLM" | summarize count() by AccountName, DeviceName, RemoteIP

  1. Monitor Account Lockout Events (Event ID 4740) Account lockouts may indicate attempted brute force attacks or credential theft.

DeviceEvents | where EventID == 4740 | summarize count() by AccountName, DeviceName, TargetAccountName

  1. Detect Logon Events During Unusual Hours Unusual logon times may indicate unauthorized access outside of business hours.

DeviceLogonEvents | where todatetime(Timestamp) between (datetime(01:00) .. datetime(05:00)) | summarize count() by AccountName, DeviceName, RemoteIP

  1. Track Interactive Logon Failures (LogonType 2) Failed interactive logons may indicate unauthorized attempts to access a system.

DeviceLogonEvents | where LogonType == "Interactive" and ActionType == "LogonFailed" | summarize count() by AccountName, DeviceName, RemoteIP

  1. Detect Unusual Logon Locations for Users (GeoLocation Analysis) Users logging in from unusual locations may indicate credential compromise.

DeviceLogonEvents | summarize count() by AccountName, DeviceName, GeoLocation | where GeoLocation != "expected_location"

  1. Monitor Remote Logons Using RDP (Event ID 4624, LogonType 10) Remote logons using RDP may be an indication of lateral movement or remote access attacks.

DeviceLogonEvents | where LogonType == "RemoteInteractive" | summarize count() by AccountName, DeviceName, RemoteIP

  1. Detect Unsuccessful Logon Attempts for Privileged Accounts Failed logon attempts for admin accounts may indicate credential guessing or brute force attacks.

DeviceLogonEvents | where AccountName contains "admin" and ActionType == "LogonFailed" | summarize count() by AccountName, DeviceName, RemoteIP

  1. Track Use of Temporary or Guest Accounts for Logon Temporary or guest accounts being used for logon may indicate unauthorized access.

DeviceLogonEvents | where AccountName contains "guest" or AccountName contains "temp" | summarize count() by AccountName, DeviceName, RemoteIP

  1. Monitor Use of Smartcards for Logon (Event ID 4776) Logons using smartcards can be tracked to ensure they are legitimate.

DeviceEvents | where EventID == 4776 | summarize count() by AccountName, DeviceName

  1. Detect Logon Attempts Using Stale Credentials (Expired Passwords) Repeated attempts to logon with expired credentials may indicate an attacker is using stolen credentials.

DeviceLogonEvents | where Status == "ExpiredPassword" | summarize count() by AccountName, DeviceName, RemoteIP

  1. Track Failed Logon Attempts Due to Bad Passwords Bad password failures may indicate a brute force or credential stuffing attack.

DeviceLogonEvents | where Status == "BadPassword" | summarize count() by AccountName, DeviceName, RemoteIP

  1. Monitor Use of Shadow Credentials for Logon Attempts Shadow credentials (e.g., certificate-based) may be used for unauthorized access.

DeviceLogonEvents | where AuthenticationPackage == "Certificate" | summarize count() by AccountName, DeviceName, RemoteIP

  1. Track Successful Logons Using Unusual Account Types (Service, System) Unusual logon types may indicate an attacker is using system or service accounts.

DeviceLogonEvents | where LogonType in ("Service", "System") | summarize count() by AccountName, DeviceName, RemoteIP

  1. Detect Multiple Logon Attempts from a Single IP Address (Credential Stuffing) Multiple logon attempts from the same IP may indicate credential stuffing attacks.

DeviceLogonEvents | summarize count() by RemoteIP, AccountName | where count_ > 10

  1. Monitor Use of Administrative Accounts for Interactive Logons Interactive logons using administrative accounts can be tracked for unauthorized access.

DeviceLogonEvents | where AccountName contains "admin" and LogonType == "Interactive" | summarize count() by AccountName, DeviceName, RemoteIP

  1. Track Unusual Authentication Attempts Using NTLM (Event ID 4624) NTLM authentication may be used for lateral movement or unauthorized access.

DeviceLogonEvents | where AuthenticationPackage == "NTLM" | summarize count() by AccountName, DeviceName, RemoteIP

  1. Detect Logons Using Expired or Disabled Accounts Logon attempts using disabled or expired accounts may indicate account compromise.

DeviceLogonEvents | where Status in ("ExpiredAccount", "DisabledAccount") | summarize count() by AccountName, DeviceName, RemoteIP

  1. Monitor Logon Attempts Using Compromised Accounts (Known Breaches) Known compromised accounts from breaches can be monitored for logon attempts.

DeviceLogonEvents | where AccountName in (list_of_compromised_accounts) | summarize count() by AccountName, DeviceName, RemoteIP

  1. Track Use of Anonymous Logon Accounts (Event ID 4624, Account: ANONYMOUS) Anonymous logon attempts may indicate unauthorized access attempts.

DeviceLogonEvents | where AccountName == "ANONYMOUS LOGON" | summarize count() by DeviceName, RemoteIP
PreviousDetecting CommandLine Executions (MITRE ATT&CK: T1059)NextHunting With Splunk

Last updated