How to create security rule for Windows Authentication - Success from Public IPs Alert with KQL language?

aungsoemin · July 17, 2023, 4:06pm

Hi,

I'm trying to create the custom use case "Windows Authentication - Success from Public IPs Alert" with below informations.

Event code = 4624
Action = Success
IP Range = Any Public IP

Here is my KQL query to create the custom rule for Windows OS.

(event.code : "4624" and event.outcome : "success") and (NOT winlog.event_data.IpAddress : 10.* or NOT winlog.event_data.IpAddress : 172.[16-31].* or NOT winlog.event_data.IpAddress : 192.168.*)

But doesn't work yet. It's always trigger the alert whatever I login with public and private IP. I just want to get the alert when login from public IP.

May I get your information how can I correct the query please? I'm looking forward to hear from you.

Thank you.

aungsoemin · July 18, 2023, 5:22am

Below query also doesn't work for me.

event.code:"4624" and event.outcome:"success" and not winlog.event_data.IpAddress:("10." or "172.[16-31]." or "192.168.*")

aungsoemin · July 19, 2023, 7:27am

Hi,

This EQL also doesn't work for me.
As I'm new to ELK, I'm looking for someone's suggestion and your input is very valuable for me.

sequence

[event where event.code == "4624" and event.outcome == "success"]
[network where host.os.type == "windows" and not cidrmatch(winlog.event_data.IpAddress, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/24")]

system · August 16, 2023, 7:27am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.