topic Re: query to pull specific hosts for successful logins in Cortex XDR Discussions

query to pull specific hosts for successful logins

JasonFerris — Tue, 25 Feb 2025 20:52:30 GMT

Hello,

I'm using a canned library query called "Successful Windows Logins" This is a great query but how can I modify it so that its only looking at specific hosts vs all hosts? I can't figure out how to edit this. Can anyone help?

Re: query to pull specific hosts for successful logins

jmazzeo — Tue, 25 Feb 2025 20:55:44 GMT

Hi @JasonFerris, thanks for reaching us using the Live Community.

You can add this filter to get only your required logs.

| filter agent_hostname = "YOUR_HOSTNAME"

If this post answers your question, please mark it as the solution.

Re: query to pull specific hosts for successful logins

JasonFerris — Tue, 25 Feb 2025 21:42:27 GMT

@jmazzeo Here is the query. Again this is a query in the query library already. I tried to add in a line above the 1st filter as another filter | filter agent_hostname = "hostname" but it did not return any results.

dataset = xdr_data // Using the xdr dataset
| filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4624 // Filtering by windows event log and id 4624
| alter Logon_Type = arrayindex(regextract(action_evtlog_message, "Logon Type:.*?(\d+)\r\n"),0), Domain = arrayindex(regextract(action_evtlog_message, "New Logon:\r\n.*\r\n.*\r\n.Account Domain:.*?(\w.*)\r\n"),0), Source_IP = arrayindex(regextract(action_evtlog_message, "Source Network Address:.*?(\d+\.\d+\.\d+\.\d+)\r\n"),0), Process_Name = arrayindex(regextract(action_evtlog_message, "Process Name:.*?(\w.*)\r\n"),0), Host_Name = arrayindex(regextract(action_evtlog_message, "Workstation Name:.*?(\w.*)\r\n"),0), User_Name = arrayindex(regextract(action_evtlog_message,"New Logon:\r\n.*\r\n.*?Account Name:.*?(\w.*?)\r\n"),0) // Using regextract to get just a part of the full event log message into an array, then using arrayindex to take the first item in the array
| fields User_Name, Host_Name, Domain, Logon_Type, Source_IP, Process_Name // Select all the fields to show them

Re: query to pull specific hosts for successful logins

aspatil — Thu, 27 Feb 2025 05:56:14 GMT

Hello,

I just checked this in my lab, and found under Network Information, Workstation name is showing empty.

If you want to see the successful login, why don't you try simple query:

dataset = xdr_data // Using the xdr dataset
| filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4624 // Filtering by windows event log and id 4624
|filter agent_hostname = ""

Re: query to pull specific hosts for successful logins

JasonFerris — Thu, 27 Feb 2025 16:23:03 GMT

@aspatil how do I separate each hostname within the ""? Also I need more details so is there a way to add this line to my original query somehow? or work this criteria into it?

Re: query to pull specific hosts for successful logins

aspatil — Fri, 28 Feb 2025 06:11:39 GMT

You can use below
|filter agent_hostname in (abc, xyz)