https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/need-help-with-bruteforce-xql-query/m-p/617825#M7424 <P>Hi,</P> <P>&nbsp;</P> <P>Could you please post the modification you did on your query so we can take a look?</P> <P>&nbsp;</P> <P>Thanks.</P> Thu, 14 Nov 2024 19:04:52 GMT mavega 2024-11-14T19:04:52Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/need-help-with-bruteforce-xql-query/m-p/616400#M7410 <P>Hi i am trying to craft a query for bruteforce based on 30min timeframe with threshold of more than 5 failed login attempts. But i am having trouble figuring out how to configure the logs for a 7 Days monitoring.</P> <P>&nbsp;</P> <P>Please kindly help me refine the query, thank you so much for your help.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>config timeframe = 30M<BR />| dataset = xdr_data // Using the xdr dataset<BR />//Query against Windows Security Event ID 4625 with NTLM protocol - Authentication Failure<BR />| filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4625<BR />| alter Workstation_Name = lowercase(json_extract_scalar(to_json_string(action_evtlog_data_fields), "$.WorkstationName" ))<BR />| alter Target_UserName = lowercase(json_extract_scalar(to_json_string(action_evtlog_data_fields), "$.TargetUserName" ))<BR />| alter Target_DomainName = lowercase(json_extract_scalar(to_json_string(action_evtlog_data_fields), "$.TargetDomainName" ))<BR />| alter Workstation_IP = lowercase(json_extract_scalar(to_json_string(action_evtlog_data_fields), "$.IpAddress" ))<BR />| alter Status = lowercase(json_extract_scalar(to_json_string(action_evtlog_data_fields), "$.Status" ))<BR />| alter SubStatus = lowercase(json_extract_scalar(to_json_string(action_evtlog_data_fields), "$.SubStatus" ))<BR />| alter LogonType = lowercase(json_extract_scalar(to_json_string(action_evtlog_data_fields), "$.LogonType" ))<BR />| filter Target_UserName not contains "$"<BR />| comp count(Status) as EventCount by Workstation_Name, Target_UserName, Target_DomainName, Status, SubStatus, LogonType</P> <P>&nbsp;</P> <P>// If the status/substatus description is empty, See <A id="menurekq" class="fui-Link ___1q1shib f2hkw1w f3rmtva f1ewtqcl fyind8e f1k6fduh f1w7gpdv fk6fouc fjoy568 figsok6 f1s184ao f1mk8lai fnbmjn9 f1o700av f13mvf36 f1cmlufx f9n3di6 f1ids18y f1tx3yz7 f1deo86v f1eh06m1 f1iescvh fhgqx19 f1olyrje f1p93eir f1nev41a f1h8hb77 f1lqvz6u f10aw75t fsle3fq f17ae5zn" title="https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55" href="https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55" target="_blank" rel="noreferrer noopener" aria-label="Link https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55">https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55</A></P> <P>&nbsp;</P> <P>| alter Status_Description = if(to_string(Status) = "0xC000006d", replace(Status, "0xC000006d", "This is either due to a bad username or authentication information"))<BR />| alter Status_Description = if(to_string(Status) = "0xC0000234", replace(Status, "0xC0000234", "User is currently locked out"), Status_Description )<BR />| alter Status_Description = if(to_string(Status) = "0xC000006e", replace(Status, "0xC000006e", "Valid authentication, but restricted."), Status_Description )<BR />| alter Status_Description = if(to_string(Status) = "0xc000010b", replace(Status, "0xc000010b", "Indicates an invalid value has been provided for the LogonType requested"), Status_Description )<BR />| filter Status != "0xc0000133"<BR />| filter LogonType = "3" or LogonType = "10"//LogonType3 = Network logon | LogonType10 = Remote interactive&nbsp;&nbsp;<BR />| filter EventCount &gt; 5 //GPO Threshold depending on the number of tries that will trigger the account lockout.</P> <P>&nbsp;</P> <P>| alter SubStatus_Description = if(to_string(SubStatus) = "0xC000006a", replace(SubStatus, "0xC000006a", "User name is correct but the password is wrong"))<BR />| alter SubStatus_Description = if(to_string(SubStatus) = "0xC0000064", replace(SubStatus, "0xC0000064", "User name does not exist"), SubStatus_Description )<BR />| alter SubStatus_Description = if(to_string(SubStatus) = "0xC0000071", replace(SubStatus, "0xC0000071", "Expired password"), SubStatus_Description )<BR />| alter SubStatus_Description = if(to_string(SubStatus) = "0xC0000072", replace(SubStatus, "0xC0000072", "Account is currently disabled"), SubStatus_Description )<BR />| alter SubStatus_Description = if(to_string(SubStatus) = "0xC0000193", replace(SubStatus, "0xC0000193", "Account expiration"), SubStatus_Description )<BR /><BR />| sort desc Workstation_Name&nbsp;<BR />| fields Workstation_Name as Hostname , Target_UserName as Username, Target_DomainName as Domain, EventCount, LogonType as Logon_Type, Status, Status_Description , SubStatus , SubStatus_Description</P> <P><LI-WRAPPER></LI-WRAPPER></P> Fri, 08 Nov 2024 07:12:15 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/need-help-with-bruteforce-xql-query/m-p/616400#M7410 kenly_tok 2024-11-08T07:12:15Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/need-help-with-bruteforce-xql-query/m-p/616461#M7414 <P>Hi,</P> <P>&nbsp;</P> <P>Thanks for reaching out Live Community.</P> <P>&nbsp;</P> <P>You can try configuring your search to a specific time window, please check on this link for further information on how to do so:</P> <P>&nbsp;</P> <P><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/timeframe" target="_blank">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/timeframe</A></P> <P>&nbsp;</P> <P>Regards,</P> <P>&nbsp;</P> <P>If this answers your inquiry, please mark it as solution.</P> <P>&nbsp;</P> <P>Regards,</P> <P>&nbsp;</P> Fri, 08 Nov 2024 21:24:19 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/need-help-with-bruteforce-xql-query/m-p/616461#M7414 mavega 2024-11-08T21:24:19Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/need-help-with-bruteforce-xql-query/m-p/616497#M7415 <P>HI Mavega,</P> <P>&nbsp;</P> <P>I've tried but still unable to get the query to work. Are there any query expert can help me with that?&nbsp;</P> <P>&nbsp;</P> <P>Thank you for your assistance.</P> Mon, 11 Nov 2024 02:09:36 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/need-help-with-bruteforce-xql-query/m-p/616497#M7415 kenly_tok 2024-11-11T02:09:36Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/need-help-with-bruteforce-xql-query/m-p/617825#M7424 <P>Hi,</P> <P>&nbsp;</P> <P>Could you please post the modification you did on your query so we can take a look?</P> <P>&nbsp;</P> <P>Thanks.</P> Thu, 14 Nov 2024 19:04:52 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/need-help-with-bruteforce-xql-query/m-p/617825#M7424 mavega 2024-11-14T19:04:52Z