Rare Login Query Not Working

a2123k1 · ‎04-24-2025

Hi team,
I made a correlation query that looks for logins that haven't been seen on the servers in the last 7 days. This filters all successful login to endpoint type servers.

preset = xdr_login_events 
| join type = inner (dataset=endpoints | fields endpoint_name, endpoint_type) as ep ep.endpoint_name contains agent_hostname
| filter endpoint_type contains "SERVER"
| filter action_user_status = ACTION_LOGIN and outcome = "SUCCESS" and dst_is_machine_account = "false" and action_local_ip not in ("",":1","127.0.0.1") 
| alter identity = login_data_dst_normalized_user -> identity, domain = login_data_dst_normalized_user -> domain 
| fields identity, domain, agent_hostname as dest_host, action_local_ip as source_ip , action*, actor*, *dst*, src*
|comp count() as login_count by identity, domain , dest_host, source_ip addrawdata = true as rawdata
| filter login_count = 1

I find that this query also detects ANY authentication event including network logins (share, mapped drives etc.) and any service logins. Is there a way to filter interactive, and remote logins? There is a method under login_data_dst_normalized_user but I'm guessing that's not the same method as Window's eventID 4624 method, and we have some Linux based machines, so we can't use the event ID to filter them.

aspatil · ‎04-28-2025

Hello @a2123k1 ,

To identify rare administrative login events on servers, specifically distinguishing between interactive and remote logins, it's essential to utilize the xdr_data dataset in Cortex XDR.

You can refer to below sample, but modify as per your requirement.

config timeframe = 30d
| dataset = xdr_data
| filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4624
| alter Logon_Type = arrayindex(regextract(action_evtlog_message, "Logon Type:\s+(\d+)"), 0)
| filter Logon_Type in ("2", "10") // 2: Interactive, 10: RemoteInteractive (e.g., RDP)
| join type = inner (
dataset = endpoints
| fields endpoint_name, endpoint_type
) as ep ep.endpoint_name = agent_hostname
| filter endpoint_type contains "SERVER"
| filter actor_effective_username in ("Administrator", "admin", "root", "svc_admin") // Adjust as per your environment
| alter identity = login_data_dst_normalized_user -> identity,
domain = login_data_dst_normalized_user -> domain
| fields identity, domain, agent_hostname as dest_host, action_local_ip as source_ip, Logon_Type, action_evtlog_message
| comp count() as login_count by identity, domain, dest_host, source_ip, Logon_Type
| filter login_count = 1

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.

Ashutosh Patil

View solution in original post

aspatil · ‎04-28-2025

Hello @a2123k1 ,

To identify rare administrative login events on servers, specifically distinguishing between interactive and remote logins, it's essential to utilize the xdr_data dataset in Cortex XDR.

You can refer to below sample, but modify as per your requirement.

config timeframe = 30d
| dataset = xdr_data
| filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4624
| alter Logon_Type = arrayindex(regextract(action_evtlog_message, "Logon Type:\s+(\d+)"), 0)
| filter Logon_Type in ("2", "10") // 2: Interactive, 10: RemoteInteractive (e.g., RDP)
| join type = inner (
dataset = endpoints
| fields endpoint_name, endpoint_type
) as ep ep.endpoint_name = agent_hostname
| filter endpoint_type contains "SERVER"
| filter actor_effective_username in ("Administrator", "admin", "root", "svc_admin") // Adjust as per your environment
| alter identity = login_data_dst_normalized_user -> identity,
domain = login_data_dst_normalized_user -> domain
| fields identity, domain, agent_hostname as dest_host, action_local_ip as source_ip, Logon_Type, action_evtlog_message
| comp count() as login_count by identity, domain, dest_host, source_ip, Logon_Type
| filter login_count = 1

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.

Ashutosh Patil

mbrownmbrown · ‎11-21-2025

I have hosts not sending 4624 but do have telemetry for xdr_login_events:

preset = xdr_login_events 
| filter action_local_ip = "192.168.1.12"
| alter logindata_method = json_extract(login_data_dst_normalized_user,"$.method")
//| filter logindata_method not in("0","3")
| limit 1
| alter logindata_domain = json_extract(login_data_dst_normalized_user,"$.domain")
| alter logindata_identity = json_extract(login_data_dst_normalized_user,"$.identity") 
| alter logindata_identitytype = json_extract(login_data_dst_normalized_user,"$.identity_type") 
| alter logindata_method = json_extract(login_data_dst_normalized_user,"$.method") 
| alter logindata_privilegelevel = json_extract(login_data_dst_normalized_user,"$.privilege_level") 
| alter logindata_domain = json_extract(login_data_dst_normalized_user,"$.domain") 
| alter logindata_upn = json_extract(login_data_dst_normalized_user,"$.upn") 
| alter logindata_username = json_extract(login_data_dst_normalized_user,"$.username")
| fields logindata_*

The `login_data_dst_normalized_user.method` does not match 4624's logon_type as I have many records returning with values of `0` for this field. I'm a little shocked to be unable to locate how `method` is defined and what the values mean. If I `comp` by logindata_method, I am only seeing method of 0 and 3.

What does the method value mean? Where can I find that data?

ChrisDavila · ‎11-21-2025

dataset = xdr_data
| filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4624
| limit 1

Start with xdr_data. This should get you going. Good luck!

mbrownmbrown · ‎11-21-2025

Thanks for the reply.

dataset = xdr_data
| filter agent_hostname  in ("alpha60")
| filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4624
| fields action_evtlog_data_fields, agent_hostname
| alter evt4624_targetusername = replace(json_extract(action_evtlog_data_fields, "$.TargetUserName"),"\"","")
| alter evt4624_elevatedtoken = replace(json_extract(action_evtlog_data_fields, "$.ElevatedToken"),"\"","")
| alter evt4624_subjectdomainname = replace(json_extract(action_evtlog_data_fields, "$.SubjectDomainName"),"\"","")
| alter evt4624_subjectusersid = replace(json_extract(action_evtlog_data_fields, "$.SubjectUserSid"),"\"","")
| alter evt4624_targetdomainname = replace(json_extract(action_evtlog_data_fields, "$.TargetDomainName"),"\"","")
| alter evt4624_processid = replace(json_extract(action_evtlog_data_fields, "$.ProcessId"),"\"","")
| alter evt4624_subjectusername = replace(json_extract(action_evtlog_data_fields, "$.SubjectUserName"),"\"","")
| alter evt4624_subjectlogonid = replace(json_extract(action_evtlog_data_fields, "$.SubjectLogonId"),"\"","")
| alter evt4624_targetusersid = replace(json_extract(action_evtlog_data_fields, "$.TargetUserSid"),"\"","")
| alter evt4624_targetlogonid = replace(json_extract(action_evtlog_data_fields, "$.TargetLogonId"),"\"","")
| alter evt4624_logontype = replace(json_extract(action_evtlog_data_fields, "$.LogonType"),"\"","")
| alter evt4624_logonprocessname = replace(json_extract(action_evtlog_data_fields, "$.LogonProcessName"),"\"","")
| alter evt4624_authenticationpackagename = replace(json_extract(action_evtlog_data_fields, "$.AuthenticationPackageName"),"\"","")
| alter evt4624_impersonationlevel = replace(json_extract(action_evtlog_data_fields, "$.ImpersonationLevel"),"\"","")
| alter evt4624_workstationname = replace(json_extract(action_evtlog_data_fields, "$.WorkstationName"),"\"","")
| alter evt4624_lmpackagename = replace(json_extract(action_evtlog_data_fields, "$.LmPackageName"),"\"","")
| alter evt4624_logonguid = replace(json_extract(action_evtlog_data_fields, "$.LogonGuid"),"\"","")
| alter evt4624_transmittedservices = replace(json_extract(action_evtlog_data_fields, "$.TransmittedServices"),"\"","")
| alter evt4624_keylength = replace(json_extract(action_evtlog_data_fields, "$.KeyLength"),"\"","")
| alter evt4624_processname = replace(json_extract(action_evtlog_data_fields, "$.ProcessName"),"\"","")
| alter evt4624_restrictedadminmode = replace(json_extract(action_evtlog_data_fields, "$.RestrictedAdminMode"),"\"","")
| alter evt4624_ipaddress = replace(json_extract(action_evtlog_data_fields, "$.IpAddress"),"\"","")
| alter evt4624_ipport = replace(json_extract(action_evtlog_data_fields, "$.IpPort"),"\"","")
| alter evt4624_targetoutboundusername = replace(json_extract(action_evtlog_data_fields, "$.TargetOutboundUserName"),"\"","")
| alter evt4624_targetoutbounddomainname = replace(json_extract(action_evtlog_data_fields, "$.TargetOutboundDomainName"),"\"","")
| alter evt4624_virtualaccount = replace(json_extract(action_evtlog_data_fields, "$.VirtualAccount"),"\"","")
| alter evt4624_targetlinkedlogonid = replace(json_extract(action_evtlog_data_fields, "$.TargetLinkedLogonId"),"\"","") 
| filter evt4624_logontype = "10" #RDP
| limit 10000
//| fields evt4624_*
| comp count(agent_hostname) by evt4624_logontype, agent_hostname, evt4624_targetusername

Unlock your full community experience!

Rare Login Query Not Working

Rare Login Query Not Working

Show your appreciation!