Windows authentication traffic metrics

# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: Windows authentication traffic metrics

# Description of what the query does and its purpose.
description: Displays Windows-collected authentication traffic metrics from your domain controllers, including Kerberos authentications, NTLM authentications, LDAP binds, and LDAP searches per second. These are native Windows performance counters and do not represent traffic inspected by Identity Protection - they provide baseline visibility into overall domain controller activity.

# The author or team that created the query.
author: CrowdStrike

# The required log sources to run this query successfully in Next-Gen SIEM.
# This will be displayed in the UI to inform the user.
log_sources:
  - Identity

# The CrowdStrike modules required to run this query.
cs_required_modules:
  - Identity

# Tags for filtering and categorization.
# Include relevant techniques, tactics, or platforms.
tags:
  - Monitoring

# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
  #repo=base_sensor #event_simpleName="IdpDcPerfReport"
  | aid=?SelectedAid
  | IdpPerfCounterAvg:= IdpPerfCounterSum / IdpPerfSampleCount
  | timeChart(span=15m, function=[avg("IdpPerfCounterAvg")], series=IdpPerfCounterPath)