This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Rare Admin Login in Environment

cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Rare Admin Login in Environment

Go to solution
a2123k1
L2 DataLink Disciple

‎03-14-2025 11:56 AM

Hi guys, could anyone help me with the query I'm trying to do. 

I'm looking to build an alert based on the rarity of a login in the environment. For instance, raise an alert if "admin" logged in to a device, but that action hasn't been seen in the device/IP for 30 days. As an additional action, cut off the connection from that host IP to the domain.

I made a correlation alert based on this, unfortunately, I don't think this is the best way to do this, because:

1. correlation is not real-time and can only raise an alert once it runs the query (every 10 minutes at a minimum).
2. You can't do a timeframe in correlation. So you can compare the log ins from 30 days ago to now. (config timeframe between "30d" and "now")
3. What's the use of drill-down if we can do a drill-down inside a query (join etc.)?

Here's an example of the query, I transformed some of the fields for alert mapping. 

dataset = xdr_data
| filter event_type = EVENT_LOG
| filter action_evtlog_event_id in (4768, 4776, 4624, 4776)
| alter username = action_evtlog_data_fields -> TargetUserName, logon_status_desc = action_evtlog_data_fields -> Status, ip_address = trim(action_evtlog_data_fields -> IpAddress,":ffff:")
| alter logon_status = if(logon_status_desc = "0x0", "Successful")
| fields username, logon_status, ip_address, action_evtlog_data_fields, action_evtlog_message, action_evtlog_event_id, *
| filter logon_status = "Successful" // filter all successful login
| filter ((username contains "admin"
| filter instance <= 1



0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
aspatil
L7 Application Artisan

‎03-17-2025 10:21 PM

Hello @a2123k1 ,

You should be able to accomplish this relatively simply, just using the xdr_login_events preset. you can adjust the final login_count filter to whatever number of total events is rare enough for your user.
Just keep in mind that our OOTB analytics will do all this and more, with no extra work (just need the ITDR license). Any user logging into a host for the first time and doing anything on that host will generate alerts on that activity, far more effectively than a manual correlation rule

 

config timeframe = 30d |preset = xdr_login_events |filter action_user_status = ACTION_LOGIN and outcome = "SUCCESS" and dst_is_machine_account = "false" and action_local_ip not in ("",":1","127.0.0.1") |alter identity = login_data_dst_normalized_user -> identity, domain = login_data_dst_normalized_user -> domain |fields identity, domain, agent_hostname as dest_host, action_local_ip as source_ip , action*, actor*, *dst*, src* |comp count() as login_count by identity, domain , dest_host, source_ip addrawdata = true as rawdata |filter login_count = 1 
 
If you feel this has answered your query, please let us know by clicking like and  on "mark this as a Solution". Thank you.

Ashutosh Patil

View solution in original post

(1)
2 REPLIES 2

Go to solution
aspatil
L7 Application Artisan

‎03-17-2025 10:21 PM

Hello @a2123k1 ,

You should be able to accomplish this relatively simply, just using the xdr_login_events preset. you can adjust the final login_count filter to whatever number of total events is rare enough for your user.
Just keep in mind that our OOTB analytics will do all this and more, with no extra work (just need the ITDR license). Any user logging into a host for the first time and doing anything on that host will generate alerts on that activity, far more effectively than a manual correlation rule

 

config timeframe = 30d |preset = xdr_login_events |filter action_user_status = ACTION_LOGIN and outcome = "SUCCESS" and dst_is_machine_account = "false" and action_local_ip not in ("",":1","127.0.0.1") |alter identity = login_data_dst_normalized_user -> identity, domain = login_data_dst_normalized_user -> domain |fields identity, domain, agent_hostname as dest_host, action_local_ip as source_ip , action*, actor*, *dst*, src* |comp count() as login_count by identity, domain , dest_host, source_ip addrawdata = true as rawdata |filter login_count = 1 
 
If you feel this has answered your query, please let us know by clicking like and  on "mark this as a Solution". Thank you.

Ashutosh Patil
(1)

Go to solution
a2123k1
L2 DataLink Disciple
In response to aspatil

‎03-26-2025 07:42 AM

Thanks! I'll reach out to my AE. Is there a technical documentation I can read in the meantime? I found this: Cortex Identity Threat Detection and Response Module, doesn't tell me much. Would this work with other non-xdr logs we brought in to Cortex i.e Azure logs etc.

0 Likes Likes
  • 1 accepted solution
  • 320 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks