topic Re: Rare Admin Login in Environment in Cortex XDR Discussions

Rare Admin Login in Environment

a2123k1 — Fri, 14 Mar 2025 18:56:52 GMT

Hi guys, could anyone help me with the query I'm trying to do.

I'm looking to build an alert based on the rarity of a login in the environment. For instance, raise an alert if "admin" logged in to a device, but that action hasn't been seen in the device/IP for 30 days. As an additional action, cut off the connection from that host IP to the domain.

I made a correlation alert based on this, unfortunately, I don't think this is the best way to do this, because:

1. correlation is not real-time and can only raise an alert once it runs the query (every 10 minutes at a minimum).
2. You can't do a timeframe in correlation. So you can compare the log ins from 30 days ago to now. (config timeframe between "30d" and "now")
3. What's the use of drill-down if we can do a drill-down inside a query (join etc.)?

Here's an example of the query, I transformed some of the fields for alert mapping.

dataset = xdr_data
| filter event_type = EVENT_LOG
| filter action_evtlog_event_id in (4768, 4776, 4624, 4776)
| alter username = action_evtlog_data_fields -> TargetUserName, logon_status_desc = action_evtlog_data_fields -> Status, ip_address = trim(action_evtlog_data_fields -> IpAddress,":ffff:")
| alter logon_status = if(logon_status_desc = "0x0", "Successful")
| fields username, logon_status, ip_address, action_evtlog_data_fields, action_evtlog_message, action_evtlog_event_id, *
| filter logon_status = "Successful" // filter all successful login
| filter ((username contains "admin"
| filter instance <= 1

Re: Rare Admin Login in Environment

aspatil — Tue, 18 Mar 2025 05:21:33 GMT

Hello @a2123k1 ,

You should be able to accomplish this relatively simply, just using the xdr_login_events preset. you can adjust the final login_count filter to whatever number of total events is rare enough for your user.
Just keep in mind that our OOTB analytics will do all this and more, with no extra work (just need the ITDR license). Any user logging into a host for the first time and doing anything on that host will generate alerts on that activity, far more effectively than a manual correlation rule

config timeframe = 30d |preset = xdr_login_events |filter action_user_status = ACTION_LOGIN and outcome = "SUCCESS" and dst_is_machine_account = "false" and action_local_ip not in ("",":1","127.0.0.1") |alter identity = login_data_dst_normalized_user -> identity, domain = login_data_dst_normalized_user -> domain |fields identity, domain, agent_hostname as dest_host, action_local_ip as source_ip , action*, actor*, *dst*, src* |comp count() as login_count by identity, domain , dest_host, source_ip addrawdata = true as rawdata |filter login_count = 1

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.

Re: Rare Admin Login in Environment

a2123k1 — Wed, 26 Mar 2025 14:42:26 GMT

Thanks! I'll reach out to my AE. Is there a technical documentation I can read in the meantime? I found this: Cortex Identity Threat Detection and Response Module, doesn't tell me much. Would this work with other non-xdr logs we brought in to Cortex i.e Azure logs etc.