This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Rare Login Query Not Working

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Rare Login Query Not Working

Go to solution
a2123k1
L0 Member

‎04-24-2025 11:53 AM

 

Hi team, 
I made a correlation query that looks for logins that haven't been seen on the servers in the last 7 days. This filters all successful login to endpoint type servers.

preset = xdr_login_events 
| join type = inner (dataset=endpoints | fields endpoint_name, endpoint_type) as ep ep.endpoint_name contains agent_hostname
| filter endpoint_type contains "SERVER"
| filter action_user_status = ACTION_LOGIN and outcome = "SUCCESS" and dst_is_machine_account = "false" and action_local_ip not in ("",":1","127.0.0.1") 
| alter identity = login_data_dst_normalized_user -> identity, domain = login_data_dst_normalized_user -> domain 
| fields identity, domain, agent_hostname as dest_host, action_local_ip as source_ip , action*, actor*, *dst*, src*
|comp count() as login_count by identity, domain , dest_host, source_ip addrawdata = true as rawdata
| filter login_count = 1

I find that this query also detects ANY authentication event including network logins (share, mapped drives etc.) and any service logins. Is there a way to filter interactive, and remote logins? There is a method under login_data_dst_normalized_user but I'm guessing that's not the same method as Window's eventID 4624 method, and we have some Linux based machines, so we can't use the event ID to filter them.


 

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
aspatil
L6 Presenter

‎04-28-2025 03:10 AM

Hello @a2123k1 ,

 

To identify rare administrative login events on servers, specifically distinguishing between interactive and remote logins, it's essential to utilize the xdr_data dataset in Cortex XDR.

 

You can refer to below sample, but modify as per your requirement.

config timeframe = 30d
| dataset = xdr_data
| filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4624
| alter Logon_Type = arrayindex(regextract(action_evtlog_message, "Logon Type:\s+(\d+)"), 0)
| filter Logon_Type in ("2", "10") // 2: Interactive, 10: RemoteInteractive (e.g., RDP)
| join type = inner (
dataset = endpoints
| fields endpoint_name, endpoint_type
) as ep ep.endpoint_name = agent_hostname
| filter endpoint_type contains "SERVER"
| filter actor_effective_username in ("Administrator", "admin", "root", "svc_admin") // Adjust as per your environment
| alter identity = login_data_dst_normalized_user -> identity,
domain = login_data_dst_normalized_user -> domain
| fields identity, domain, agent_hostname as dest_host, action_local_ip as source_ip, Logon_Type, action_evtlog_message
| comp count() as login_count by identity, domain, dest_host, source_ip, Logon_Type
| filter login_count = 1

 

If you feel this has answered your query, please let us know by clicking like and  on "mark this as a Solution". Thank you.

Ashutosh Patil

View solution in original post

1 REPLY 1

Go to solution
aspatil
L6 Presenter

‎04-28-2025 03:10 AM

Hello @a2123k1 ,

 

To identify rare administrative login events on servers, specifically distinguishing between interactive and remote logins, it's essential to utilize the xdr_data dataset in Cortex XDR.

 

You can refer to below sample, but modify as per your requirement.

config timeframe = 30d
| dataset = xdr_data
| filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4624
| alter Logon_Type = arrayindex(regextract(action_evtlog_message, "Logon Type:\s+(\d+)"), 0)
| filter Logon_Type in ("2", "10") // 2: Interactive, 10: RemoteInteractive (e.g., RDP)
| join type = inner (
dataset = endpoints
| fields endpoint_name, endpoint_type
) as ep ep.endpoint_name = agent_hostname
| filter endpoint_type contains "SERVER"
| filter actor_effective_username in ("Administrator", "admin", "root", "svc_admin") // Adjust as per your environment
| alter identity = login_data_dst_normalized_user -> identity,
domain = login_data_dst_normalized_user -> domain
| fields identity, domain, agent_hostname as dest_host, action_local_ip as source_ip, Logon_Type, action_evtlog_message
| comp count() as login_count by identity, domain, dest_host, source_ip, Logon_Type
| filter login_count = 1

 

If you feel this has answered your query, please let us know by clicking like and  on "mark this as a Solution". Thank you.

Ashutosh Patil
  • 1 accepted solution
  • 600 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks