Skip to main content
Skip to main content
CRUCIBLE
back

QUICKTRACE

Daily triage queries across authentication, network, endpoint, and cloud — ready to paste into Sentinel, XQL, or Splunk. 24 queries across 4 domains

6 authentication queries (KQL)

Failed Logins — Spike Detection

Authentication

Detects anomalous spikes in failed authentication attempts across Azure AD and on-prem AD.

AzureADWindows Event Log (4625)
SigninLogs
| where ResultType == "50057" or ResultType == "50126"
| summarize FailedCount = count() by UserPrincipalName, AppDisplayName, bin(Timestamp, 1h)
| where FailedCount > 10

MFA Failures — Possible Fatigue Attack

Authentication

Multiple MFA denial prompts in short window indicating MFA fatigue / bombing attacks.

AzureADDuoOkta
SigninLogs
| where ResultType == "500121"
| summarize DenialCount = count() by UserPrincipalName, bin(Timestamp, 15m)
| where DenialCount > 5

Privileged Account Usage — Off-Hours

Authentication

Privileged account logons outside business hours (20:00–06:00 local).

Windows Event Log (4672)AzureAD
SigninLogs
| where ResultType == "0"
| where UserPrincipalName contains "admin" or UserPrincipalName contains "svc-"
| extend Hour = datetime_part("hour", Timestamp)
| where Hour < 6 or Hour > 20
| project Timestamp, UserPrincipalName, IPAddress, AppDisplayName

Service Account Anomalous Logon

Authentication

Service accounts logging in from unexpected locations or non-allowlisted IP ranges.

AzureADWindows Event Log (4624)
SigninLogs
| where ResultType == "0"
| where UserPrincipalName startswith "svc-"
| where Location !in ("US", "CA") or IPAddress !startswith "10."
| project Timestamp, UserPrincipalName, IPAddress, Location

Guest User Activity — Suspicious

Authentication

Guest/external user access to sensitive applications or elevated privilege grants.

AzureADMicrosoft 365
AuditLogs
| where OperationName has_any ("Add guest", "Invite guest", "Grant consent")
| where ResultStatus == "success"
| project Timestamp, OperationName, InitiatedBy.user.userPrincipalName, TargetResources

Password Spray — Pattern Detection

Authentication

Same password attempted across multiple accounts in rapid succession.

AzureADWindows Event Log (4625)
SigninLogs
| where ResultType == "50126"
| summarize UniqueAccounts = dcount(UserPrincipalName) by IPAddress, AppDisplayName, bin(Timestamp, 5m)
| where UniqueAccounts > 3
24 queries across 4 domains · 6 authentication · 6 network · 6 endpoint · 6 cloud
crucible·
github·portfolio