How to create security rule for Windows Authentication - Success from Public IPs Alert with KQL language?


I'm trying to create the custom use case "Windows Authentication - Success from Public IPs Alert" with below informations.

Event code = 4624
Action = Success
IP Range = Any Public IP

Here is my KQL query to create the custom rule for Windows OS.

(event.code : "4624" and event.outcome : "success") and (NOT winlog.event_data.IpAddress : 10.* or NOT winlog.event_data.IpAddress : 172.[16-31].* or NOT winlog.event_data.IpAddress : 192.168.*)

But doesn't work yet. It's always trigger the alert whatever I login with public and private IP. I just want to get the alert when login from public IP.

May I get your information how can I correct the query please? I'm looking forward to hear from you.

Thank you.

Below query also doesn't work for me.

event.code:"4624" and event.outcome:"success" and not winlog.event_data.IpAddress:("10." or "172.[16-31]." or "192.168.*")


This EQL also doesn't work for me.
As I'm new to ELK, I'm looking for someone's suggestion and your input is very valuable for me.


[event where event.code == "4624" and event.outcome == "success"]
[network where host.os.type == "windows" and not cidrmatch(winlog.event_data.IpAddress, "", "", "")]

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.