This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

YARA-L, Rule Schreiben

Posted a month ago
sek
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Hi,

i have wrotten a new Rule, but it shows always 2 or more Events/Alerts. I want to see only one Event at a succesfully Login. I have posted Screenhot. How can i configure it?

Best regards

sek_0-1712744397134.jpeg

 

Solved Solved
1 5 110
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM

In the original email, you mention multiple events/alerts. As I read through this thread, as Dan points out, we can't solve multiple 4624 events from Microsoft being logged (at least not at the rule level), but we can roll those multiple events being generated into a single detection/alert using the match section in a rule.

By adding a placeholder variable(s) in the events section, like these for example

$login.target.user.userid = $userid

$login.principal.hostname = $hostname

We could then add a match section

match:
  $hostname over 5m

match:
  $userid over 5m

match:
  $hostname, $userid over 5m

And the result would be that all events that match the criteria in the event section are grouped by whatever value(s) are in the match section over the defined period of time.

Here is a quick video on aggregation that might be helpful: https://www.googlecloudcommunity.com/gc/Chronicle-Best-Practices/Getting-to-Know-Chronicle-SIEM-Aggr...

This isn't like for like, but an example on mimikatz and process launches that might help as well.

jstoner_0-1712843790508.png

 

View solution in original post

Jump to Solution
5 REPLIES 5

Posted on --/--/---- --:-- AM
dnehoda
Staff
Reply posted on --/--/---- --:-- AM

Are you getting two 4624 events? 

I guess a better question is what are the events if you do a login and then a test run for that time period?  

 

Jump to Solution

Posted on --/--/---- --:-- AM
sek
Bronze 5
Bronze 5
In response to dnehoda
Reply posted on --/--/---- --:-- AM

when I login, there are four events in 5 seconds. My Question is:  How can i write a rule, that is 1 Login = 1 Detection

Must i use "over"?

 

Jump to Solution

Posted on --/--/---- --:-- AM
dnehoda
Staff
In response to sek
Reply posted on --/--/---- --:-- AM

I donโ€™t believe this a rule problem - itโ€™s a Microsoft problem.  

Quick google search shows multiple people with similar experiences.  
https://www.nextofwindows.com/several-log-entries-of-event-4624

Also,  when you look in the windows logging console are the events your username or system?  If they are both, you can filter out the system account with a NOT statement in your rule.  

Jump to Solution

Posted on --/--/---- --:-- AM
dnehoda
Staff
In response to sek
Reply posted on --/--/---- --:-- AM
After looking at my windows machines - when I log in - there's several 4624
Event ID's.

Several of them are related to user - SYSTEM. You may want to filter that
out and use domain/regex or something for username.



--
Thank you,
DN - dnehoda@google.com
440.787.1307
Jump to Solution

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM

In the original email, you mention multiple events/alerts. As I read through this thread, as Dan points out, we can't solve multiple 4624 events from Microsoft being logged (at least not at the rule level), but we can roll those multiple events being generated into a single detection/alert using the match section in a rule.

By adding a placeholder variable(s) in the events section, like these for example

$login.target.user.userid = $userid

$login.principal.hostname = $hostname

We could then add a match section

match:
  $hostname over 5m

match:
  $userid over 5m

match:
  $hostname, $userid over 5m

And the result would be that all events that match the criteria in the event section are grouped by whatever value(s) are in the match section over the defined period of time.

Here is a quick video on aggregation that might be helpful: https://www.googlecloudcommunity.com/gc/Chronicle-Best-Practices/Getting-to-Know-Chronicle-SIEM-Aggr...

This isn't like for like, but an example on mimikatz and process launches that might help as well.

jstoner_0-1712843790508.png

 

Jump to Solution
Top Solution Authors
View all