This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Cortex XDR Correlation rule to detect /alert if a user logon to multiple endpoints at a time

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Cortex XDR Correlation rule to detect /alert if a user logon to multiple endpoints at a time

Sree Rag R
L0 Member

‎02-22-2024 04:40 AM

Hi ,

 

Can anybody help to create a Cortex XDR Correlation rule using XQL to detect /alert if a user logon to multiple endpoints at a time

 

Thanks in advance.

 

Regards

Sree Rag R

0 Likes Likes
4 REPLIES 4

nsinghvirk
L4 Transporter

‎02-27-2024 05:52 AM

Hello @Sree Rag R 

 

Thanks for reaching out on LiveCommunity!

I have a created a XQL query which you can use as reference to create your own correlation rule.

dataset = endpoints
| filter (user not in (null, """"""))
| comp count(endpoint_name) as NumOfComputer by user
| filter NumOfComputer > 1
| fields user , NumOfComputer

 

This query will list the users who have logged on more then one endpoints.

 

Please click Accept as Solution to acknowledge that the answer to your question has been provided.

aspatil
L4 Transporter

‎02-27-2024 07:06 AM - edited ‎02-27-2024 07:08 AM

Hello @Sree Rag R ,

 

This the more kind SIEM or Identity Protection requirement. However, you can try below and see if this meets your requirement:

config timeframe between "10m" and "now"  //update this timeframe for the interval you are looking
|dataset = xdr_data
| filter event_type = EVENT_LOG AND action_evtlog_event_id = 4625 // Filtering by failed logon events`
| alter User_Name = arrayindex(regextract(action_evtlog_message,"Account For Which Logon Failed:\r\n.*\r\n.*?Account Name:.*?(\w.*?)\r\n"),0)
| comp count_distinct(agent_hostname ) as host_count by User_Name
| filter host_count >1

 

Please click Accept as Solution to acknowledge that the answer to your question has been provided.

Ashutosh Patil
0 Likes Likes

Sree Rag R
L0 Member
In response to nsinghvirk

‎02-28-2024 02:49 AM

Hi Nsinghvirk,

 

Thanks for the revert. As u said this is listing the users who have logged on more then one endpoints. 

If u provide solution for displaying Endpoint name along with the result that would be more helpful.

 

Regards

Sree Rag R

0 Likes Likes

ithermos
L1 Bithead

‎02-28-2024 03:47 AM

In general, you will have an Investigation/Alert Query on the Correlation rule, that will have the events ungrouped and thus showcasing the Endpoint names.

 

So, write a similar query without the counters and select the desired fields, inside the Correlation rule which will have as a main/logic query one of those mentioned in the previous replies (two queries in total).

0 Likes Likes
  • 501 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks