03-14-2025 11:56 AM
Hi guys, could anyone help me with the query I'm trying to do.
I'm looking to build an alert based on the rarity of a login in the environment. For instance, raise an alert if "admin" logged in to a device, but that action hasn't been seen in the device/IP for 30 days. As an additional action, cut off the connection from that host IP to the domain.
I made a correlation alert based on this, unfortunately, I don't think this is the best way to do this, because:
1. correlation is not real-time and can only raise an alert once it runs the query (every 10 minutes at a minimum).
2. You can't do a timeframe in correlation. So you can compare the log ins from 30 days ago to now. (config timeframe between "30d" and "now")
3. What's the use of drill-down if we can do a drill-down inside a query (join etc.)?
Here's an example of the query, I transformed some of the fields for alert mapping.
dataset = xdr_data
| filter event_type = EVENT_LOG
| filter action_evtlog_event_id in (4768, 4776, 4624, 4776)
| alter username = action_evtlog_data_fields -> TargetUserName, logon_status_desc = action_evtlog_data_fields -> Status, ip_address = trim(action_evtlog_data_fields -> IpAddress,":ffff:")
| alter logon_status = if(logon_status_desc = "0x0", "Successful")
| fields username, logon_status, ip_address, action_evtlog_data_fields, action_evtlog_message, action_evtlog_event_id, *
| filter logon_status = "Successful" // filter all successful login
| filter ((username contains "admin"
| filter instance <= 1
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
