Need help with BruteForce XQL query

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Need help with BruteForce XQL query

L0 Member

Hi i am trying to craft a query for bruteforce based on 30min timeframe with threshold of more than 5 failed login attempts. But i am having trouble figuring out how to configure the logs for a 7 Days monitoring.

 

Please kindly help me refine the query, thank you so much for your help.

 

 

config timeframe = 30M
| dataset = xdr_data // Using the xdr dataset
//Query against Windows Security Event ID 4625 with NTLM protocol - Authentication Failure
| filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4625
| alter Workstation_Name = lowercase(json_extract_scalar(to_json_string(action_evtlog_data_fields), "$.WorkstationName" ))
| alter Target_UserName = lowercase(json_extract_scalar(to_json_string(action_evtlog_data_fields), "$.TargetUserName" ))
| alter Target_DomainName = lowercase(json_extract_scalar(to_json_string(action_evtlog_data_fields), "$.TargetDomainName" ))
| alter Workstation_IP = lowercase(json_extract_scalar(to_json_string(action_evtlog_data_fields), "$.IpAddress" ))
| alter Status = lowercase(json_extract_scalar(to_json_string(action_evtlog_data_fields), "$.Status" ))
| alter SubStatus = lowercase(json_extract_scalar(to_json_string(action_evtlog_data_fields), "$.SubStatus" ))
| alter LogonType = lowercase(json_extract_scalar(to_json_string(action_evtlog_data_fields), "$.LogonType" ))
| filter Target_UserName not contains "$"
| comp count(Status) as EventCount by Workstation_Name, Target_UserName, Target_DomainName, Status, SubStatus, LogonType

 

// If the status/substatus description is empty, See https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60...

 

| alter Status_Description = if(to_string(Status) = "0xC000006d", replace(Status, "0xC000006d", "This is either due to a bad username or authentication information"))
| alter Status_Description = if(to_string(Status) = "0xC0000234", replace(Status, "0xC0000234", "User is currently locked out"), Status_Description )
| alter Status_Description = if(to_string(Status) = "0xC000006e", replace(Status, "0xC000006e", "Valid authentication, but restricted."), Status_Description )
| alter Status_Description = if(to_string(Status) = "0xc000010b", replace(Status, "0xc000010b", "Indicates an invalid value has been provided for the LogonType requested"), Status_Description )
| filter Status != "0xc0000133"
| filter LogonType = "3" or LogonType = "10"//LogonType3 = Network logon | LogonType10 = Remote interactive  
| filter EventCount > 5 //GPO Threshold depending on the number of tries that will trigger the account lockout.

 

| alter SubStatus_Description = if(to_string(SubStatus) = "0xC000006a", replace(SubStatus, "0xC000006a", "User name is correct but the password is wrong"))
| alter SubStatus_Description = if(to_string(SubStatus) = "0xC0000064", replace(SubStatus, "0xC0000064", "User name does not exist"), SubStatus_Description )
| alter SubStatus_Description = if(to_string(SubStatus) = "0xC0000071", replace(SubStatus, "0xC0000071", "Expired password"), SubStatus_Description )
| alter SubStatus_Description = if(to_string(SubStatus) = "0xC0000072", replace(SubStatus, "0xC0000072", "Account is currently disabled"), SubStatus_Description )
| alter SubStatus_Description = if(to_string(SubStatus) = "0xC0000193", replace(SubStatus, "0xC0000193", "Account expiration"), SubStatus_Description )

| sort desc Workstation_Name 
| fields Workstation_Name as Hostname , Target_UserName as Username, Target_DomainName as Domain, EventCount, LogonType as Logon_Type, Status, Status_Description , SubStatus , SubStatus_Description

3 REPLIES 3

L2 Linker

Hi,

 

Thanks for reaching out Live Community.

 

You can try configuring your search to a specific time window, please check on this link for further information on how to do so:

 

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/timeframe

 

Regards,

 

If this answers your inquiry, please mark it as solution.

 

Regards,

 

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events: Cortex XDR Customer Corner

HI Mavega,

 

I've tried but still unable to get the query to work. Are there any query expert can help me with that? 

 

Thank you for your assistance.

Hi,

 

Could you please post the modification you did on your query so we can take a look?

 

Thanks.

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events: Cortex XDR Customer Corner
  • 509 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!