Cortex XDR Correlation rule to detect /alert if a user logon to multiple endpoints at a time

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Cortex XDR Correlation rule to detect /alert if a user logon to multiple endpoints at a time

L0 Member

Hi ,

 

Can anybody help to create a Cortex XDR Correlation rule using XQL to detect /alert if a user logon to multiple endpoints at a time

 

Thanks in advance.

 

Regards

Sree Rag R

4 REPLIES 4

L4 Transporter

Hello @Sree Rag R 

 

Thanks for reaching out on LiveCommunity!

I have a created a XQL query which you can use as reference to create your own correlation rule.

dataset = endpoints
| filter (user not in (null, """"""))
| comp count(endpoint_name) as NumOfComputer by user
| filter NumOfComputer > 1
| fields user , NumOfComputer

 

This query will list the users who have logged on more then one endpoints.

 

Please click Accept as Solution to acknowledge that the answer to your question has been provided.

L5 Sessionator

Hello @Sree Rag R ,

 

This the more kind SIEM or Identity Protection requirement. However, you can try below and see if this meets your requirement:

config timeframe between "10m" and "now"  //update this timeframe for the interval you are looking
|dataset = xdr_data
| filter event_type = EVENT_LOG AND action_evtlog_event_id = 4625 // Filtering by failed logon events`
| alter User_Name = arrayindex(regextract(action_evtlog_message,"Account For Which Logon Failed:\r\n.*\r\n.*?Account Name:.*?(\w.*?)\r\n"),0)
| comp count_distinct(agent_hostname ) as host_count by User_Name
| filter host_count >1

 

Please click Accept as Solution to acknowledge that the answer to your question has been provided.

Ashutosh Patil

Hi Nsinghvirk,

 

Thanks for the revert. As u said this is listing the users who have logged on more then one endpoints. 

If u provide solution for displaying Endpoint name along with the result that would be more helpful.

 

Regards

Sree Rag R

L1 Bithead

In general, you will have an Investigation/Alert Query on the Correlation rule, that will have the events ungrouped and thus showcasing the Endpoint names.

 

So, write a similar query without the counters and select the desired fields, inside the Correlation rule which will have as a main/logic query one of those mentioned in the previous replies (two queries in total).

  • 1063 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!