Original article written on medium.
Use cases are created & modified according to the organization’s requirement. I am going to use this platform to explain the use cases I created and updated in GitHub.
First use case I will be discussing is based on the MITRE tactic — TA0001, gaining initial access.
Use case Name: Remote Services: Simultaneous Logins on a Host
Description: Multiple users logged into a single machine at the same time, or even within the same hour.
Sentinel format — the code:
SecurityEvent | where EventID == '4624' | where LogonType in (2,3,9,10) | where Account !endswith "$" | summarize earliest_time = min(TimeGenerated), latest_Time = max(TimeGenerated), UserCount = dcount(TargetUserName), Users = make_set(TargetUserName) by IpAddress | where latest_Time - earliest_time <= 1h and UserCount > 1
Explanation of the code:
Its the table/scheme which we will be using here for this usecase.
| where EventID == '4624'
We are looking at the logon events, hence using the windows login event id. Change this event id according to the version of the windows. Refer here for further information.
| where LogonType in (2,3,9,10)
We are focusing on certain logon type.
- 2 — Interactive (logon at keyboard and screen of system)
- 3 — Network (i.e. connection to shared folder on this computer from elsewhere on network)
- 9 — NewCredentials such as with RunAs or mapping a network drive with alternate credentials.
- 10 — RemoteInteractive (Terminal Services, Remote Desktop or Remote Assistance)
| where Account !endswith "$"
That’s the computer account. When a computer joins a domain it has to have an account associated with it in order to apply policy settings. This gets created automatically when the computer joins. This is to exclude false positives.
| summarize earliest_time = min(TimeGenerated), latest_Time = max(TimeGenerated), UserCount = dcount(TargetUserName), Users = make_set(TargetUserName) by IpAddress
Here I am getting the maximum and the minimum time, distinct count of the user by grouping the IP as well as collecting the user names using “make_set”. So the beauty of “make_set”, you can include as many you want, depending on the information you need.
| where latest_Time - earliest_time <= 1h and UserCount > 1
Now this is where we pass our condition. I have used the minimum and the maximum time to fix a duration and where distinct count of users is more than one.
Find the code on GitHub here.