topic Re: XQL Query Assistance in Cortex XDR Discussions

XQL Query Assistance

WilliamHolloway — Fri, 27 Jan 2023 15:59:19 GMT

Hi all,

I'm new to Cortex and creating XQL queries. I was looking for a way to detect a brute force attack (failed logins followed by a successful login). Are there any good resources available online or can someone help me get this query built?

Thanks in advance

#Cortex XDR

Re: XQL Query Assistance

bbarmanroy — Tue, 07 Feb 2023 10:18:21 GMT

Hi @WilliamHolloway if you are using Cortex XDR Pro, there are several Analytics Detectors that are automatically triggered during brute force attempts once the tenant has met the minimum requirements for Analytics. You can refer to this documentation as to how to enable Analytics.

Re: XQL Query Assistance

Alex_Necula — Mon, 13 Feb 2023 08:43:43 GMT

Hi William , we can build a XQL Query and search for an event id like 4624 for successfully login and 4625 for failed login 😉

Re: XQL Query Assistance

TDoerr — Thu, 19 Oct 2023 13:31:08 GMT

Has anyone created the XQL Query for this failed and successful logon? CrowdStrike had a great dashboard for this and I am looking to create inside our Cortex setup.

Re: XQL Query Assistance

Antony_Chan — Tue, 24 Oct 2023 10:04:58 GMT

@WilliamHolloway @TDoerr
This probably answer half of your question, the query below is calculating the number of authentication failures per user/endpoint with the failure reason.
I figure you could start from here.

dataset = xdr_data // Using the xdr dataset //Query against Windows Security Event ID 4625 - Authentication Failure | filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4625 | alter Workstation_Name = lowercase(json_extract_scalar(to_json_string(action_evtlog_data_fields), "$.WorkstationName" )) | alter Target_UserName = lowercase(json_extract_scalar(to_json_string(action_evtlog_data_fields), "$.TargetUserName" )) | alter Target_DomainName = lowercase(json_extract_scalar(to_json_string(action_evtlog_data_fields), "$.TargetDomainName" )) | alter Workstation_IP = lowercase(json_extract_scalar(to_json_string(action_evtlog_data_fields), "$.IpAddress" )) | alter Status = lowercase(json_extract_scalar(to_json_string(action_evtlog_data_fields), "$.Status" )) | alter SubStatus = lowercase(json_extract_scalar(to_json_string(action_evtlog_data_fields), "$.SubStatus" )) | alter LogonType = lowercase(json_extract_scalar(to_json_string(action_evtlog_data_fields), "$.LogonType" )) | filter Target_UserName not contains "$" | comp count(Status) as EventCount by Workstation_Name, Target_UserName, Target_DomainName , Status, SubStatus // If the status/substatus description is empty, See https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55 | alter Status_Description = if(to_string(Status) = "0xC000006d", replace(Status, "0xC000006d", "This is either due to a bad username or authentication information")) | alter Status_Description = if(to_string(Status) = "0xC0000234", replace(Status, "0xC0000234", "User is currently locked out"), Status_Description ) | alter Status_Description = if(to_string(Status) = "0xC000006e", replace(Status, "0xC000006e", "Valid authentication, but restricted."), Status_Description ) | alter SubStatus_Description = if(to_string(SubStatus) = "0xC000006a", replace(SubStatus, "0xC000006a", "User name is correct but the password is wrong")) | alter SubStatus_Description = if(to_string(SubStatus) = "0xC0000064", replace(SubStatus, "0xC0000064", "User name does not exist"), SubStatus_Description ) | alter SubStatus_Description = if(to_string(SubStatus) = "0xC0000071", replace(SubStatus, "0xC0000071", "Expired password"), SubStatus_Description ) | alter SubStatus_Description = if(to_string(SubStatus) = "0xC0000072", replace(SubStatus, "0xC0000072", "Account is currently disabled"), SubStatus_Description ) | alter SubStatus_Description = if(to_string(SubStatus) = "0xC0000193", replace(SubStatus, "0xC0000193", "Account expiration"), SubStatus_Description ) | sort desc Workstation_Name | fields Workstation_Name as Hostname , Target_UserName as Username, Target_DomainName as Domain, EventCount, Status, Status_Description , SubStatus , SubStatus_Description

hope this help.

Re: XQL Query Assistance

TDoerr — Tue, 14 Nov 2023 17:14:17 GMT

That works.

Re: XQL Query Assistance

Jesse_Siegrist — Sat, 17 Feb 2024 00:04:15 GMT

Thank you! I've been trying to find a query to identify specific user authentications (which was proving devilishly hard for some reason) and this got me close enough to be workable.

Any ideas on how to do something similar for a O365 Azure account? The dataset is going to be way different obviously