Hi,
i have wrotten a new Rule, but it shows always 2 or more Events/Alerts. I want to see only one Event at a succesfully Login. I have posted Screenhot. How can i configure it?
Best regards
Solved
YARA-L, Rule Schreiben
+1- Bronze 3
Best answer by jstoner
In the original email, you mention multiple events/alerts. As I read through this thread, as Dan points out, we can't solve multiple 4624 events from Microsoft being logged (at least not at the rule level), but we can roll those multiple events being generated into a single detection/alert using the match section in a rule.
By adding a placeholder variable(s) in the events section, like these for example
$login.target.user.userid = $userid
$login.principal.hostname = $hostname
We could then add a match section
match:
$hostname over 5m
match:
$userid over 5m
match:
$hostname, $userid over 5m
And the result would be that all events that match the criteria in the event section are grouped by whatever value(s) are in the match section over the defined period of time.
Here is a quick video on aggregation that might be helpful: https://www.googlecloudcommunity.com/gc/Chronicle-Best-Practices/Getting-to-Know-Chronicle-SIEM-Aggregating-events-in-rules/ta-p/635507
This isn't like for like, but an example on mimikatz and process launches that might help as well.
+16Are you getting two 4624 events?
I guess a better question is what are the events if you do a login and then a test run for that time period?
+1- Bronze 3
Are you getting two 4624 events?
I guess a better question is what are the events if you do a login and then a test run for that time period?
when I login, there are four events in 5 seconds. My Question is: How can i write a rule, that is 1 Login = 1 Detection
Must i use "over"?
+16when I login, there are four events in 5 seconds. My Question is: How can i write a rule, that is 1 Login = 1 Detection
Must i use "over"?
I don’t believe this a rule problem - it’s a Microsoft problem.
Quick google search shows multiple people with similar experiences.
https://www.nextofwindows.com/several-log-entries-of-event-4624
Also, when you look in the windows logging console are the events your username or system? If they are both, you can filter out the system account with a NOT statement in your rule.
+16when I login, there are four events in 5 seconds. My Question is: How can i write a rule, that is 1 Login = 1 Detection
Must i use "over"?
After looking at my windows machines - when I log in - there's several 4624
Event ID's.
Several of them are related to user - SYSTEM. You may want to filter that
out and use domain/regex or something for username.
--
Thank you,
DN - dnehoda@google.com
440.787.1307
+22In the original email, you mention multiple events/alerts. As I read through this thread, as Dan points out, we can't solve multiple 4624 events from Microsoft being logged (at least not at the rule level), but we can roll those multiple events being generated into a single detection/alert using the match section in a rule.
By adding a placeholder variable(s) in the events section, like these for example
$login.target.user.userid = $userid
$login.principal.hostname = $hostname
We could then add a match section
match:
$hostname over 5m
match:
$userid over 5m
match:
$hostname, $userid over 5m
And the result would be that all events that match the criteria in the event section are grouped by whatever value(s) are in the match section over the defined period of time.
Here is a quick video on aggregation that might be helpful: https://www.googlecloudcommunity.com/gc/Chronicle-Best-Practices/Getting-to-Know-Chronicle-SIEM-Aggregating-events-in-rules/ta-p/635507
This isn't like for like, but an example on mimikatz and process launches that might help as well.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.