LogScale query
Discover LogScale queries shared by the community.
Categories
"@collect.source_type"=file | /NO_CLIENT_SITE/i
For that to work the logscale collector has to retrieve the net logon file: sources: netlogon: type: file sink: logscale include: - "C:/Windows/debug/netlogon.log"
@sebastian · 15.6.2026
in(field="#windows.EventID", values=[4769,4768])
| TicketEnc := coalesce([windows.EventData.TicketEncryptionType])
| SessionKeyEnc := coalesce([windows.EventData.SessionKeyEncryptionType])
| case {
This query identifies users, service accounts, and systems that are still using RC4-based Kerberos encryption. It analyzes authentication events to detect RC4 usage in both ticket encryption and session keys, enabling the identification of dependencies on outdated cryptographic protocols. The results help to proactively locate affected accounts and systems that may experience issues after the RC4 deactivation, supporting remediation and migration to secure encryption standards such as AES.
@sebastian · 15.6.2026