This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

XQL Query Assistance

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

XQL Query Assistance

WilliamHolloway
L0 Member

‎01-27-2023 07:59 AM

Hi all,

I'm new to Cortex and creating XQL queries. I was looking for a way to detect a brute force attack (failed logins followed by a successful login). Are there any good resources available online or can someone help me get this query built?

 

Thanks in advance


#Cortex XDR   

 

0 Likes Likes
6 REPLIES 6

bbarmanroy
L5 Sessionator

‎02-07-2023 02:18 AM

Hi @WilliamHolloway if you are using Cortex XDR Pro, there are several Analytics Detectors that are automatically triggered during brute force attempts once the tenant has met the minimum requirements for Analytics. You can refer to this documentation as to how to enable Analytics.

0 Likes Likes

Alex_Necula
L0 Member

‎02-13-2023 12:43 AM

Hi William , we can build a XQL Query and search for an event id like 4624 for successfully login and 4625 for failed login 😉

0 Likes Likes

TDoerr
L1 Bithead

‎10-19-2023 06:31 AM

Has anyone created the XQL Query for this failed and successful logon? CrowdStrike had a great dashboard for this and I am looking to create inside our Cortex setup.

 

0 Likes Likes

Antony_Chan
L2 Linker

‎10-24-2023 03:04 AM

@WilliamHolloway @TDoerr 
This probably answer half of your question, the query below is calculating the number of authentication failures per user/endpoint with the failure reason.
I figure you could start from here.

dataset = xdr_data // Using the xdr dataset

//Query against Windows Security Event ID 4625 - Authentication Failure
| filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4625
| alter Workstation_Name = lowercase(json_extract_scalar(to_json_string(action_evtlog_data_fields), "$.WorkstationName" ))
| alter Target_UserName = lowercase(json_extract_scalar(to_json_string(action_evtlog_data_fields), "$.TargetUserName" ))
| alter Target_DomainName = lowercase(json_extract_scalar(to_json_string(action_evtlog_data_fields), "$.TargetDomainName" ))
| alter Workstation_IP = lowercase(json_extract_scalar(to_json_string(action_evtlog_data_fields), "$.IpAddress" ))
| alter Status = lowercase(json_extract_scalar(to_json_string(action_evtlog_data_fields), "$.Status" ))
| alter SubStatus = lowercase(json_extract_scalar(to_json_string(action_evtlog_data_fields), "$.SubStatus" ))
| alter LogonType = lowercase(json_extract_scalar(to_json_string(action_evtlog_data_fields), "$.LogonType" ))
| filter Target_UserName not contains "$"
| comp count(Status) as EventCount by Workstation_Name, Target_UserName, Target_DomainName , Status, SubStatus

// If the status/substatus description is empty, See https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55
| alter Status_Description = if(to_string(Status) = "0xC000006d", replace(Status, "0xC000006d", "This is either due to a bad username or authentication information"))
| alter Status_Description = if(to_string(Status) = "0xC0000234", replace(Status, "0xC0000234", "User is currently locked out"), Status_Description )
| alter Status_Description = if(to_string(Status) = "0xC000006e", replace(Status, "0xC000006e", "Valid authentication, but restricted."), Status_Description )

| alter SubStatus_Description = if(to_string(SubStatus) = "0xC000006a", replace(SubStatus, "0xC000006a", "User name is correct but the password is wrong"))
| alter SubStatus_Description = if(to_string(SubStatus) = "0xC0000064", replace(SubStatus, "0xC0000064", "User name does not exist"), SubStatus_Description )
| alter SubStatus_Description = if(to_string(SubStatus) = "0xC0000071", replace(SubStatus, "0xC0000071", "Expired password"), SubStatus_Description )
| alter SubStatus_Description = if(to_string(SubStatus) = "0xC0000072", replace(SubStatus, "0xC0000072", "Account is currently disabled"), SubStatus_Description )
| alter SubStatus_Description = if(to_string(SubStatus) = "0xC0000193", replace(SubStatus, "0xC0000193", "Account expiration"), SubStatus_Description )

| sort desc Workstation_Name 
| fields Workstation_Name as Hostname , Target_UserName as Username, Target_DomainName as Domain, EventCount, Status, Status_Description , SubStatus , SubStatus_Description

 hope this help.

AC
(1)

TDoerr
L1 Bithead

‎11-14-2023 09:14 AM

That works. 

0 Likes Likes

Jesse_Siegrist
L0 Member

‎02-16-2024 04:04 PM

Thank you! I've been trying to find a query to identify specific user authentications (which was proving devilishly hard for some reason) and this got me close enough to be workable. 

Any ideas on how to do something similar for a O365 Azure account? The dataset is going to be way different obviously 

0 Likes Likes
  • 2286 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks