Community query exchange
Share, discover, and version LogScale queries, parsers, and dashboards with the community.
Recently shared by the community.
"@collect.source_type"=file | /NO_CLIENT_SITE/i
For that to work the logscale collector has to retrieve the net logon file: sources: netlogon: type: file sink: logscale include: - "C:/Windows/debug/netlogon.log"
@sebastian · 15.6.2026
in(field="#windows.EventID", values=[4769,4768])
| TicketEnc := coalesce([windows.EventData.TicketEncryptionType])
| SessionKeyEnc := coalesce([windows.EventData.SessionKeyEncryptionType])
| case {
This query identifies users, service accounts, and systems that are still using RC4-based Kerberos encryption. It analyzes authentication events to detect RC4 usage in both ticket encryption and session keys, enabling the identification of dependencies on outdated cryptographic protocols. The results help to proactively locate affected accounts and systems that may experience issues after the RC4 deactivation, supporting remediation and migration to secure encryption standards such as AES.
@sebastian · 15.6.2026
Recently shared ingest parsers.
No parsers published yet.
Upload parserRecently shared dashboard definitions.
name: User Dashboard timeSelector: defaultTimeJumpInMs: 30000 sharedTimeInterval:
Provides a centralized overview of user logins across virtual desktop environments. The dashboard links activity to specific desktop pools (e.g., Windows 7 and Windows 10) and tracks concurrent logins, enabling administrators to monitor users who are simultaneously accessing multiple pools. You can change the poolIds to match your environment.
@sebastian · 15.6.2026