03-16-2026 04:04 AM
Hi Community,
Please help me on creating XQL query for cortex XSIAM on the below requirement.
VPN Credential Abuse / Anomalous VPN Access
Objective:
Detect initial access via compromised VPN credentials, the primary entry vector used by Handala Hack. It looks for suspicious VPN authentication events such as first‑time logins from new geolocations, commercial VPN IP ranges, sudden admin elevation after VPN login, or anomalous remote access activity. By correlating authentication anomalies with VPN session metadata, the hunt surfaces early indicators of credential misuse and unauthorized access. This aligns with T1078 (Valid Accounts) and T1090 (Proxy).
03-16-2026 07:09 AM
Hello @N.B238890 ,
Greetings for the day.
To detect initial access via compromised VPN credentials and subsequent anomalous activity, you can utilize Cortex XSIAM's ability to query and correlate metadata from GlobalProtect and general authentication datasets. While a single, all-encompassing query for every objective may not exist, the following components can be used to build a comprehensive hunt for the behaviors you described.
Cortex XSIAM automatically enriches source IP data with Autonomous System (AS) information from providers such as Spur and MaxMind GeoLite2. You can identify commercial VPN or proxy usage by filtering for Autonomous System Names (ASNs) associated with hosting providers such as DigitalOcean or Amazon.
Use the following query structure to identify logins from hosting provider ASNs:
Note: Specific direct XDM boolean flags for Spur-provided VPN metadata (for example xdm.source.is_vpn) may vary depending on the schema version. Review the latest XDM Schema Guide or inspect available fields in your dataset.
You can monitor successful connections originating from unexpected countries by filtering on geographic metadata associated with the source IP.
Example query to find logins outside a designated home country:
For first-time logins from new geolocations, Cortex XSIAM includes built-in analytics alerts such as “A user connected to a VPN from a new country.” These alerts rely on historical baselining of user login behavior.
After a suspicious VPN login, you should monitor for potential privilege escalation or lateral movement. Examples of activity to watch for include:
Windows Event ID 4624 – Successful interactive logon
Windows Event ID 4768 – Kerberos authentication ticket request
These events occurring shortly after a VPN login may indicate that compromised credentials are being used to pivot within the environment.
If stolen credentials are used to deploy or execute remote access tools such as TeamViewer, you can detect them through process execution or file activity telemetry.
Example query to identify TeamViewer execution and the associated user:
TeamViewer also generates local logs at:
These artifacts can be correlated with user activity and endpoint telemetry stored in the xdr_data dataset.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
03-16-2026 07:09 AM
Hello @N.B238890 ,
Greetings for the day.
To detect initial access via compromised VPN credentials and subsequent anomalous activity, you can utilize Cortex XSIAM's ability to query and correlate metadata from GlobalProtect and general authentication datasets. While a single, all-encompassing query for every objective may not exist, the following components can be used to build a comprehensive hunt for the behaviors you described.
Cortex XSIAM automatically enriches source IP data with Autonomous System (AS) information from providers such as Spur and MaxMind GeoLite2. You can identify commercial VPN or proxy usage by filtering for Autonomous System Names (ASNs) associated with hosting providers such as DigitalOcean or Amazon.
Use the following query structure to identify logins from hosting provider ASNs:
Note: Specific direct XDM boolean flags for Spur-provided VPN metadata (for example xdm.source.is_vpn) may vary depending on the schema version. Review the latest XDM Schema Guide or inspect available fields in your dataset.
You can monitor successful connections originating from unexpected countries by filtering on geographic metadata associated with the source IP.
Example query to find logins outside a designated home country:
For first-time logins from new geolocations, Cortex XSIAM includes built-in analytics alerts such as “A user connected to a VPN from a new country.” These alerts rely on historical baselining of user login behavior.
After a suspicious VPN login, you should monitor for potential privilege escalation or lateral movement. Examples of activity to watch for include:
Windows Event ID 4624 – Successful interactive logon
Windows Event ID 4768 – Kerberos authentication ticket request
These events occurring shortly after a VPN login may indicate that compromised credentials are being used to pivot within the environment.
If stolen credentials are used to deploy or execute remote access tools such as TeamViewer, you can detect them through process execution or file activity telemetry.
Example query to identify TeamViewer execution and the associated user:
TeamViewer also generates local logs at:
These artifacts can be correlated with user activity and endpoint telemetry stored in the xdr_data dataset.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
