- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
11-07-2024 11:12 PM
Hi i am trying to craft a query for bruteforce based on 30min timeframe with threshold of more than 5 failed login attempts. But i am having trouble figuring out how to configure the logs for a 7 Days monitoring.
Please kindly help me refine the query, thank you so much for your help.
config timeframe = 30M
| dataset = xdr_data // Using the xdr dataset
//Query against Windows Security Event ID 4625 with NTLM protocol - Authentication Failure
| filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4625
| alter Workstation_Name = lowercase(json_extract_scalar(to_json_string(action_evtlog_data_fields), "$.WorkstationName" ))
| alter Target_UserName = lowercase(json_extract_scalar(to_json_string(action_evtlog_data_fields), "$.TargetUserName" ))
| alter Target_DomainName = lowercase(json_extract_scalar(to_json_string(action_evtlog_data_fields), "$.TargetDomainName" ))
| alter Workstation_IP = lowercase(json_extract_scalar(to_json_string(action_evtlog_data_fields), "$.IpAddress" ))
| alter Status = lowercase(json_extract_scalar(to_json_string(action_evtlog_data_fields), "$.Status" ))
| alter SubStatus = lowercase(json_extract_scalar(to_json_string(action_evtlog_data_fields), "$.SubStatus" ))
| alter LogonType = lowercase(json_extract_scalar(to_json_string(action_evtlog_data_fields), "$.LogonType" ))
| filter Target_UserName not contains "$"
| comp count(Status) as EventCount by Workstation_Name, Target_UserName, Target_DomainName, Status, SubStatus, LogonType
// If the status/substatus description is empty, See https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60...
| alter Status_Description = if(to_string(Status) = "0xC000006d", replace(Status, "0xC000006d", "This is either due to a bad username or authentication information"))
| alter Status_Description = if(to_string(Status) = "0xC0000234", replace(Status, "0xC0000234", "User is currently locked out"), Status_Description )
| alter Status_Description = if(to_string(Status) = "0xC000006e", replace(Status, "0xC000006e", "Valid authentication, but restricted."), Status_Description )
| alter Status_Description = if(to_string(Status) = "0xc000010b", replace(Status, "0xc000010b", "Indicates an invalid value has been provided for the LogonType requested"), Status_Description )
| filter Status != "0xc0000133"
| filter LogonType = "3" or LogonType = "10"//LogonType3 = Network logon | LogonType10 = Remote interactive
| filter EventCount > 5 //GPO Threshold depending on the number of tries that will trigger the account lockout.
| alter SubStatus_Description = if(to_string(SubStatus) = "0xC000006a", replace(SubStatus, "0xC000006a", "User name is correct but the password is wrong"))
| alter SubStatus_Description = if(to_string(SubStatus) = "0xC0000064", replace(SubStatus, "0xC0000064", "User name does not exist"), SubStatus_Description )
| alter SubStatus_Description = if(to_string(SubStatus) = "0xC0000071", replace(SubStatus, "0xC0000071", "Expired password"), SubStatus_Description )
| alter SubStatus_Description = if(to_string(SubStatus) = "0xC0000072", replace(SubStatus, "0xC0000072", "Account is currently disabled"), SubStatus_Description )
| alter SubStatus_Description = if(to_string(SubStatus) = "0xC0000193", replace(SubStatus, "0xC0000193", "Account expiration"), SubStatus_Description )
| sort desc Workstation_Name
| fields Workstation_Name as Hostname , Target_UserName as Username, Target_DomainName as Domain, EventCount, LogonType as Logon_Type, Status, Status_Description , SubStatus , SubStatus_Description
11-08-2024 01:24 PM
Hi,
Thanks for reaching out Live Community.
You can try configuring your search to a specific time window, please check on this link for further information on how to do so:
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/timeframe
Regards,
If this answers your inquiry, please mark it as solution.
Regards,
11-10-2024 06:09 PM
HI Mavega,
I've tried but still unable to get the query to work. Are there any query expert can help me with that?
Thank you for your assistance.
11-14-2024 11:04 AM
Hi,
Could you please post the modification you did on your query so we can take a look?
Thanks.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!