XQL Query Assistance

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

XQL Query Assistance

L0 Member

Hi all,

I'm new to Cortex and creating XQL queries. I was looking for a way to detect a brute force attack (failed logins followed by a successful login). Are there any good resources available online or can someone help me get this query built?

 

Thanks in advance


#Cortex XDR   

 

6 REPLIES 6

L5 Sessionator

Hi @WilliamHolloway if you are using Cortex XDR Pro, there are several Analytics Detectors that are automatically triggered during brute force attempts once the tenant has met the minimum requirements for Analytics. You can refer to this documentation as to how to enable Analytics.

L0 Member

Hi William , we can build a XQL Query and search for an event id like 4624 for successfully login and 4625 for failed login 😉

L1 Bithead

Has anyone created the XQL Query for this failed and successful logon? CrowdStrike had a great dashboard for this and I am looking to create inside our Cortex setup.

 

L2 Linker

@WilliamHolloway @TDoerr 
This probably answer half of your question, the query below is calculating the number of authentication failures per user/endpoint with the failure reason.
I figure you could start from here.

dataset = xdr_data // Using the xdr dataset

//Query against Windows Security Event ID 4625 - Authentication Failure
| filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4625
| alter Workstation_Name = lowercase(json_extract_scalar(to_json_string(action_evtlog_data_fields), "$.WorkstationName" ))
| alter Target_UserName = lowercase(json_extract_scalar(to_json_string(action_evtlog_data_fields), "$.TargetUserName" ))
| alter Target_DomainName = lowercase(json_extract_scalar(to_json_string(action_evtlog_data_fields), "$.TargetDomainName" ))
| alter Workstation_IP = lowercase(json_extract_scalar(to_json_string(action_evtlog_data_fields), "$.IpAddress" ))
| alter Status = lowercase(json_extract_scalar(to_json_string(action_evtlog_data_fields), "$.Status" ))
| alter SubStatus = lowercase(json_extract_scalar(to_json_string(action_evtlog_data_fields), "$.SubStatus" ))
| alter LogonType = lowercase(json_extract_scalar(to_json_string(action_evtlog_data_fields), "$.LogonType" ))
| filter Target_UserName not contains "$"
| comp count(Status) as EventCount by Workstation_Name, Target_UserName, Target_DomainName , Status, SubStatus

// If the status/substatus description is empty, See https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55
| alter Status_Description = if(to_string(Status) = "0xC000006d", replace(Status, "0xC000006d", "This is either due to a bad username or authentication information"))
| alter Status_Description = if(to_string(Status) = "0xC0000234", replace(Status, "0xC0000234", "User is currently locked out"), Status_Description )
| alter Status_Description = if(to_string(Status) = "0xC000006e", replace(Status, "0xC000006e", "Valid authentication, but restricted."), Status_Description )

| alter SubStatus_Description = if(to_string(SubStatus) = "0xC000006a", replace(SubStatus, "0xC000006a", "User name is correct but the password is wrong"))
| alter SubStatus_Description = if(to_string(SubStatus) = "0xC0000064", replace(SubStatus, "0xC0000064", "User name does not exist"), SubStatus_Description )
| alter SubStatus_Description = if(to_string(SubStatus) = "0xC0000071", replace(SubStatus, "0xC0000071", "Expired password"), SubStatus_Description )
| alter SubStatus_Description = if(to_string(SubStatus) = "0xC0000072", replace(SubStatus, "0xC0000072", "Account is currently disabled"), SubStatus_Description )
| alter SubStatus_Description = if(to_string(SubStatus) = "0xC0000193", replace(SubStatus, "0xC0000193", "Account expiration"), SubStatus_Description )

| sort desc Workstation_Name 
| fields Workstation_Name as Hostname , Target_UserName as Username, Target_DomainName as Domain, EventCount, Status, Status_Description , SubStatus , SubStatus_Description 

 hope this help.

AC

L1 Bithead

That works. 

L0 Member

Thank you! I've been trying to find a query to identify specific user authentications (which was proving devilishly hard for some reason) and this got me close enough to be workable. 

Any ideas on how to do something similar for a O365 Azure account? The dataset is going to be way different obviously 

  • 2458 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!